CISA Alerts on Exploitation of Apache Superset Vulnerability

The US Cybersecurity and Infrastructure Security Agency (CISA) has recently expanded its Known Exploited Vulnerabilities (KEV) catalog to include six additional entries, one of which is a vulnerability in Apache Superset disclosed in April 2023.

Apache Superset, an open-source Python application, is designed to assist users in exploring and visualizing large datasets. The vulnerability in question revolves around the application’s session cookies, signed with a secret key for authentication. Although the key is intended to be randomly generated, a report from penetration testing firm Horizon3.ai in April last year revealed that Superset instances were defaulting the key to a specific value. Approximately 2,000 instances accessible from the internet were found to be using this default key.

Exploiting this vulnerability could allow attackers to log in as administrators, gain access to connected databases, manipulate data, and execute code remotely. While database connections are typically set up with read-only permissions, an attacker with admin access could enable writes and data model language (DML) statements. The SQL Lab interface in Superset also permits attackers to run arbitrary SQL statements against connected databases.

The issue was initially discovered in 2021, with the secret key value rotated in 2022 to a new default and a warning added to the logs. The bug, now tracked as CVE-2023-27524, has been addressed in Superset version 2.1, which prevents the server from starting if the secret key value is the default one.

CISA’s addition of this vulnerability to the KEV catalog indicates that threat actors have initiated exploitation in the wild. However, specific details about observed attacks have not been provided by the agency.

In addition to the Apache Superset vulnerability, CISA added two recently resolved Adobe ColdFusion flaws, a code execution bug in Apple products, an improper access check issue in Joomla, and a command injection issue in D-Link DSL-2750B devices to the KEV catalog.

Organizations, not just federal agencies affected by the Binding Operational Directive (BOD) 22-01, are advised to review the KEV catalog and prioritize patching for the listed vulnerabilities or discontinue the use of impacted products without available mitigations.

Your source for supply chain report news updates: The Supply Chain Report. For international trade insights and tools, head to ADAMftd.com.

#Cybersecurity #CISA #KnownExploitedVulnerabilities #ApacheSuperset #VulnerabilityManagement #DataSecurity #PenetrationTesting #Horizon3ai #AdobeColdFusion #AppleSecurity #Joomla #DLink #SecurityPatches #VulnerabilityAssessment