Microsoft security blog reports that the OpenMetadata platform has critical vulnerabilities that allow attackers to exploit Kubernetes workloads for crypto mining. Five vulnerabilities allow attackers to bypass authentication and execute Remote Code Execution. Microsoft recommends updating to OpenMetadata and employing robust authentication measures.
OpenMetadata Vulnerabilities Threats Kubernetes Workloads, Actively Exploited
According to the recent Microsoft security blog, cyber attackers leverage critical vulnerabilities within the OpenMetadata platform to infiltrate Kubernetes workloads. These vulnerabilities (CVE-2024-28255, CVE-2024-28847, CVE-2024-28253, CVE-2024-28848, and CVE-2024-28254) impact versions preceding 1.3.1. All of these vulnerabilities have different CVSS levels, with the highest being 9.8 and 9.4 (later about them). Successful exploitation allows attackers to bypass authentication and achieve remote code execution (RCE).
OpenMetadata is a discovery, observability, and governance platform with a central metadata repository, in-depth lineage, and team collaboration. It has metadata schemas, a metadata store, APIs, and an ingestion framework. Key features include data discovery. However, subsequently, these compromised workloads become conduits for illicit crypto-mining activities.
Identifying Critical Vulnerabilities
CVE-2024-28255 is a critical vulnerability (CVSS: 9.8) in the OpenMetadata platform, affecting its API authentication mechanism. In brief, the `JwtFilter` handles API authentication by verifying JWT tokens. However, attackers can bypass the authentication mechanism by requesting excluded endpoints using path parameters. However, developers fixed the issue in version 1.2.4.
CVE-2024-28255 is a second vulnerability with 9.4 CVSS that stems from JWT token validation deficiencies in JwtFilter. An authorization check called `authorizer.authorize()` is named after `prepareInternal()`, which gets executed and evaluates the SpEL expression. To exploit this vulnerability, an attacker can send a PUT request to `/api/v1/policies`. The issue can lead to Remote Code Execution and is fixed in version 1.3.1.
How Does The Attack Work?
The following describes the attack sequence observed in instances where Kubernetes workloads of OpenMetadata accessible via the internet have been compromised. Attackers identify vulnerable versions and exploit the vulnerabilities to gain code execution within the container hosting the compromised OpenMetadata image, thereby obtaining initial access.
Post-infiltration, attackers validate their intrusion and gauge control using a publicly accessible service. They utilize ping requests to domains ending with oast[.]me and oast[.]pro—associated with Interactsh—to confirm successful exploitation and validate connectivity before establishing a command-and-control channel and deploying malicious payloads.
Following successful access confirmation, attackers download crypto-mining malware from a remote server for XMR mining, executed with elevated permissions. It is noteworthy that Microsoft identified the attacker’s server location as China. Additionally, other malware targeting both Linux and Windows operating systems was uncovered on the attacker’s server.
Prevention and Mitigation Measures
To reduce the risk of potential vulnerabilities, we highly recommend updating the image version of clusters hosting OpenMetadata workloads to the latest version—specifically version 1.3.1 or newer. Additionally, if you are making OpenMetadata accessible via the Internet, it is crucial to employ strong authentication mechanisms and avoid using default credentials.