On May 28, 2020, Apache Kylin officially released a security bulletin that disclosed its remote code execution vulnerability. Kylin has some RESTful APIs that can connect os command to strings entered by users and attackers can execute arbitrary os command on Kylin without any protection or verification.
Analysis
Patch:
According to the migrateCube method changed by the patch, find the corresponding route in the controller to determine the entry point of the vulnerability exploit.
Reproduction
We build Apache Kylin 3.0.1 environment to reproduce this vulnerability and configure the following three attribute values.
kylin.tool.auto-migrate-cube.enabled=true
kylin.tool.auto-migrate-cube.src-config=/home/admin/apache-kylin-3.0.1-bin-hbase1x
kylin.tool.auto-migrate-cube.dest-config=/tmp/kylin.properties
Configuration is as follows:
We send crafted malicious HTTP requests and execute code, as show below:
Affected Apache Kylin versions:
Kylin 2.3.0 - 2.3.2
Kylin 2.4.0 - 2.4.1
Kylin 2.5.0 - 2.5.2
Kylin 2.6.0 - 2.6.5
Kylin 3.0.0-alpha
Kylin 3.0.0-alpha2
Kylin 3.0.0-beta
Kylin 3.0.0 - 3.0.1
Timeline
May 28, 2020 Apache Kylin officially released Apache Kylin remote code execution CVE-2020-1956.
May 28, 2020 Sangfor FarSight Labs reproduced this vulnerability successfully, then released alerts and solutions.
Reference
https://kylin.apache.org/docs/security.html
https://github.com/apache/kylin/commit/9cc3793ab2f2f0053c467a9b3f38cb7791cd436a#
Solution
Remediation Solution
The official has released a version to fix this vulnerability. Please visit the following link to download the latest version.
http://kylin.apache.org/download/
Sangfor Solution
Sangfor Host Security updated its detection capability as soon as the vulnerability was discovered. Users can update to quickly detect whether the network is affected by this high risk vulnerability and prevent it from being used by attackers. Offline users need to download the offline update to get detection capabilities for this vulnerability while online users can obtain detection capabilities automatically.
For Sangfor NGAF customers, keep NGAF security protection rules up to date.
Sangfor Cyber Command is capable of detecting attacks which exploit this vulnerability and can alert users in real time. Users can correlate Cyber Command to Sangfor NGAF to block an attacker's IP address.
Sangfor SOC makes sure that Sangfor security specialists are available 24/7 for any security issues you may have. When vulnerability protection rules were released, Sangfor security experts checked and updated customers' vulnerability detection devices, and performed vulnerability scanning of the customers' network environment to ensure that customer hosts are free from this vulnerability. For users with vulnerabilities, we reviewed and updated device policies to ensure protection capability against this vulnerability.