$13,000 banked through scan and exploit attack methodology
Security researcher Ian Carroll has explained how he was able to exploit outdated Apache Airflow instances to find a series of vulnerabilities and collect more $13,000 in bug bounty payouts.
Apache Airflow offers a system for executing workflows, such as “copying and transforming data between data sources”. The technology inherently features web-based interfaces connected to internal databases and other systems.
Carroll suspected this was an architecture that offers a wide attack surface, a working assumption that proved more than prescient, as explained in a detailed technical write-up.
The security researcher automated scanning for outdated Apache Airflow instances vulnerable to the previously discovered CVE-2020-17526 vulnerability.
Airflow’s web interface relies on Flask’s stateless, signed cookies to handle authentication data. The flaw arose because Airflow bundles a default signing key of temporary_key.
Using the flask-unsign tool, an attacker could browse an Airflow instance’s login pages, and capture an unauthenticated cookie before testing if an installation was vulnerable.
‘SQLi as a service’
By forging the user_id attribute in captured cookies it is possible to pose as an admin, opening the door to all kinds of exploits. For one thing, keys for AWS, payment processors, and databases will often be exposed to the web UI of vulnerable Airflow instances.
“You may be able to execute ‘ad-hoc queries’ against connected data sources, even if you cannot read their credentials directly,” according to Carroll. “SQLi as a service!”
Carroll was able to use this process to identify a critical vulnerability in a transportation firm’s infrastructure, earning a $4,500 bounty in the process. He later found other similarly vulnerable Airflow installations, earning him a total of $13,000 under HackerOne and Bugcrowd bug bounty programs.
The researcher noted: “Smarter companies quickly placed Airflow behind proxies such oauth2-proxy or Duo Network Gateway, which is a strong defense against authentication issues at the application level. I highly discourage exposing Airflow directly to the internet.”
The process allowed him to uncover several critical issues in a number of bug bounty program.
Using the knowledge he’d acquired, Carroll went on to discover lower severity flaws in Apache Airflow after setting up his own local environment.
CVE-2021-26559 – the most severe of the two flaws uncovered by Carroll – is a privilege elevation flaw involving the abuse of a captured signing key.
All the discussed vulnerabilities have been resolved with the latest version of the platform. Enterprises are urged to update to v1.10.15 or v2.0.2, a potential upgrade that’s particularly important for those running Airflow internally.