OpenMetadata Vulnerabilities to Target Kubernetes

Home/Compromised, Exploitation, malicious cyber actors, Security Advisory, Security Update/OpenMetadata Vulnerabilities to Target Kubernetes

OpenMetadata Vulnerabilities to Target Kubernetes

The OpenMetadata platform has critical vulnerabilities reported by Microsoft Security Blog, enabling attackers to exploit Kubernetes workloads for crypto mining.

Five vulnerabilities facilitate bypassing authentication and executing Remote Code Execution. Microsoft recommends updating to OpenMetadata and implementing robust authentication measures.

OpenMetadata vulnerabilities pose an active threat to Kubernetes workloads

Recent findings from the Microsoft security blog reveal that cyber attackers are exploiting critical vulnerabilities in the OpenMetadata platform to compromise Kubernetes workloads.

These vulnerabilities, including CVE-2024-28255, CVE-2024-28847, CVE-2024-28253, CVE-2024-28848, and CVE-2024-28254, affect versions prior to 1.3.1 and vary in CVSS severity, with the highest rated at 9.8 and 9.4. Exploiting these vulnerabilities enables attackers to bypass authentication and execute remote code (RCE) on targeted systems.

OpenMetadata is a platform designed for discovery, observability, and governance, featuring a central metadata repository, detailed lineage, and team collaboration tools. With metadata schemas, a metadata store, APIs, and an ingestion framework, it facilitates data discovery. Unfortunately, compromised workloads often become conduits for illicit crypto-mining activities.

CVE-2024-28255, a critical vulnerability (CVSS: 9.8) in the OpenMetadata platform, impacts its API authentication mechanism. Specifically, the JwtFilter handles API authentication by verifying JWT tokens. Attackers can bypass this mechanism by requesting excluded endpoints using path parameters. Fortunately, developers addressed this issue in version 1.2.4.

CVE-2024-28255, another critical vulnerability rated 9.4 CVSS, arises from JWT token validation weaknesses in JwtFilter. During authorization, the authorizer.authorize() check is mistakenly named after prepareInternal(), triggering execution and evaluating the SpEL expression. Exploiting this flaw involves sending a PUT request to /api/v1/policies, potentially resulting in Remote Code Execution. The issue has been addressed in version 1.3.1.

All about the attack

Attackers target vulnerable versions of OpenMetadata accessible via the internet, exploiting vulnerabilities to gain code execution within containers hosting compromised OpenMetadata images. Following infiltration, they validate intrusion via ping requests to domains like oast[.]me and oast[.]pro, confirming successful exploitation and connectivity before establishing command-and-control channels and deploying malicious payloads.

After confirming successful access, attackers download crypto-mining malware from a remote server for XMR mining, running with elevated permissions.

Notably, Microsoft traced the attacker’s server location to China. Furthermore, the server was found to host other malware targeting Linux and Windows operating systems.

Mitigation

  • Update the image version of clusters hosting OpenMetadata workloads to the latest version, preferably version 1.3.1 or newer.
  • Implement robust authentication mechanisms when making OpenMetadata accessible via the Internet.
  • Avoid using default credentials to enhance security measures.

‍Follow Us on: Twitter, InstagramFacebook to get the latest security news!

Post Views: 394
By | 2024-04-29T07:21:35+05:30 April 23rd, 2024|Compromised, Exploitation, malicious cyber actors, Security Advisory, Security Update|

About the Author:

FirstHackersNews- Identifies Security

Related Posts

Leave A Comment

Subscribe to our newsletter to receive security tips everday!