Apache Airflow Servers Leak Thousands of Credentials
A Misconfiguration Flaw Exposes Instances Over the Web.
Apache Airflow is one of the most popular open-source workflow management platforms.
Researchers from Intezer have discovered while investigating a misconfiguration flaw in Apache Airflow a large number of exposed instances over the web.
These instances were leaking sensitive information from well-known tech companies.
Nicole Fishbein and Ryan Robinson are the researchers that disclosed details regarding how they identified the misconfiguration errors across Apache Airflow servers ran by major tech companies.
These specific misconfiguration flaws have resulted in sensitive data leakage that included thousands of credentials coming from popular platforms and services.
As reported by BleepingComputer, Slack, PayPal, and Amazon Web Services (AWS), among others, were just a few of the platforms affected by the Apache misconfiguration flaw.
Workflow management platforms are an indispensable tool for automating business and IT tasks. These platforms make it easier to create, schedule and monitor workflows. They are typically hosted on the cloud to provide increased accessibility and scalability. On the flip side, misconfigured instances that allow internet-wide access make these platforms ideal candidates for exploitation by attackers.
While researching a misconfiguration in the popular workflow platform, Apache Airflow, we discovered a number of unprotected instances. These unsecured instances expose sensitive information of companies across the media, finance, manufacturing, information technology (IT), biotech, e-commerce, health, energy, cybersecurity, and transportation industries. In the vulnerable Airflows, we see exposed credentials for popular platforms and services such as Slack, PayPal, AWS and more.
The researchers believe that passwords should not be hardcoded and the long names of images and dependencies should be utilized.
The configuration file (airflow.cfg) is created when Airflow is first started. It contains Airflow’s configuration and it is able to be changed.
But, if the `expose_config` option in the file is set by mistake to ‘True,’ the configuration in question can easily become accessible to anyone through the webserver.
Other instances in the wild included sensitive data saved in Airflow “Variables” that could be modified by an unauthorized user to insert malicious code, and the incorrect use of the “Connections” feature—credentials stored as JSON blobs accessible to everyone in the unencrypted “Extra” field.
The Consequences of Putting Off Patching
The goal of this study was to highlight the hazards associated with postponing software upgrades, in addition to detecting poorly configured Airflow assets.
According to Intezer, the great majority of these issues were discovered in servers running Airflow v1.x from 2015, which are still in use by many companies.
Many new security features were included in Airflow version 2, including a REST API that needs authentication for all activities. In addition, the updated version does not retain sensitive information in logs and requires the administrator to validate configuration settings directly rather than relying on defaults.
Customer records and sensitive data might be exposed as a result of security holes caused by procrastinated patching, which could be a breach of data protection regulations such as the GDPR.
Disruption of clients’ operations through poor cybersecurity practices can also result in legal action such as class action lawsuits.