Microsoft recently discovered an attack exploiting critical vulnerabilities within OpenMetadata, with the purpose of gaining access to Kubernetes workloads and employing them for cryptomining. There are five vulnerabilities that can be exploited to carry out the attack. CVE-2024-28253, CVE-2024-28254, CVE-2024-28255, CVE-2024-28847 and CVE-2024-28848.
Description:
OpenMetadata is an open-source platform designed to manage metadata across various data sources.
The discovered vulnerabilities were observed being exploited in the wild during April. These vulnerabilities could be exploited by attackers to bypass authentication and achieve remote code execution.
Attackers focus on Kubernetes workloads of OpenMetadata accessible online. Upon discovering a vulnerable version, they exploit its vulnerabilities to execute code within the container. Once access is secured, they verify control over the compromised system. Following that they employ the compromised Kubernetes workloads for cryptomining activities.
Vulnerabilities:
CVE-2024-28253: This vulnerability leads to remote code execution in OpenMetadata. The “CompiledRule::validateExpression” method allows attackers to execute arbitrary system commands.
Severity: Critical (CVSS Base Score: 9.4)
CVE-2024-28254: Similar to the previous vulnerability, this one also allows remote code execution in OpenMetadata. The “/api/v1/events/subscriptions/validation/condition/<expression>” endpoint permits arbitrary SpEL expressions, leading to command execution by authenticated (non-admin) users.
Severity: High (CVSS Base Score: 8.8)
CVE-2024-28255: This vulnerability leads to authentication bypass in OpenMetadata. The “JwtFilter” handles API authentication by verifying JWT tokens. However, an attacker can manipulate path parameters to bypass JWT validation by making any path contain any arbitrary strings and therefore leading to authentication bypass and arbitrary endpoint access as mentioned before.
Severity: Critical (CVSS Base Score: 9.8)
CVE-2024-28847: Another vulnerability in OpenMetadata that allows remote code execution. Attackers can exploit the “AlertUtil::validateExpression” method to execute arbitrary code. Even though there is an authorization check, it gets called after the SpEL expression has been evaluated.
Severity: High (CVSS Base Score: 8.8)
CVE-2024-28848: This vulnerability leads to remote code execution in OpenMetadata, as the previous ones. The ”CompiledRule::validateExpression” method evaluates SpEL expressions, potentially allowing interaction with Java classes like java.lang.Runtime and leading to arbitrary system commands execution by authenticated (non-admin) users.
Severity: High (CVSS Base Score: 8.8)
Affected Versions:
The vulnerabilities affect OpenMetadata versions prior to 1.3.1.
Recommendations:
To address these critical vulnerabilities and avoid a potential attack, the following steps can be followed:
- Update clusters that run OpenMetadata workload to version 1.3.1 or later.
- Use strong authentication and avoid default credentials when OpenMetadata is exposed to the internet.
- Identify malicious activity by utilizing Microsoft Sentinel to monitor Kubernetes clusters through the Azure Kubernetes Service (AKS) integration with Sentinel.
References:
- https://www.microsoft.com/en-us/security/blog/2024/04/17/attackers-exploiting-new-critical-openmetadata-vulnerabilities-on-kubernetes-clusters/
- https://nvd.nist.gov/vuln/detail/CVE-2024-28253
- https://nvd.nist.gov/vuln/detail/CVE-2024-28254
- https://nvd.nist.gov/vuln/detail/CVE-2024-28255
- https://nvd.nist.gov/vuln/detail/CVE-2024-28847
- https://nvd.nist.gov/vuln/detail/CVE-2024-28848
