Researchers from the security firm Intezer uncovered a slew of misconfigured Apache Airflow servers that were exposing sensitive information, including credentials, from a number of IT organizations.
Apache Airflow is an open-source workflow management software that is used by numerous businesses across the world to automate business and IT activities.
The post published by Intezer stated, “These unsecured instances expose sensitive information of companies across the media, finance, manufacturing, information technology (IT), biotech, e-commerce, health, energy, cybersecurity, and transportation industries. In the vulnerable Airflows, we see exposed credentials for popular platforms and services such as Slack, PayPal, AWS and more.”
Researchers examined the dangers of misconfiguration for companies and their customers, as well as the most frequent reasons for data leakage from vulnerable cases. According to Intezer researchers, the majority of the stolen credentials are disclosed due to unsafe coding techniques, with many of the compromised instances having hardcoded passwords inside the Python DAG Code.
Other misconfigured installations examined by Intezer included a publicly available configuration file (airflow.cfg) containing confidential information such as passwords and keys.
Malicious actors may potentially alter the settings, resulting in unforeseen behaviour.
Other misconfigured installations examined by Intezer included a publicly available configuration file (airflow.cfg) containing confidential information such as passwords and keys.
Threat actors may also alter the settings, resulting in unforeseen behaviour.
The credentials might likewise be exposed via the Airflow "variables" used in DAG scripts.
As per experts, it is quite common to find hardcoded passwords stored in these variables. Threat actors could also exploit Airflow plugins or features to execute malware that could be injected into variables.
“There is also the possibility that Airflow plugins or features can be abused to run malicious code. An example of how an attacker can abuse a native “Variables” feature in Airflow is if any code or images placed in the variables form is used to build evaluated code strings.”
“Variables are able to be edited by any visiting user which means that malicious code could be injected. One entity we observed was using variables to store internal container image names to execute. These container image variables could be edited and swapped out with an image containing and running unauthorized or malicious code.”
The research focused on earlier versions of Apache Airflow and emphasised the hazards associated with using out-of-date software.
The majority of the problems highlighted in the study were affected servers using Airflow v1.x; however, subsequent versions of Airflow incorporate security measures that address the aforementioned concerns.
“In light of the major changes made in version 2, it is strongly recommended to update the version of all Airflow instances to the latest version. Make sure that only authorized users can connect.” concludes the report. “Exposing customer information can also lead to violation of data protection laws and the possibility of legal action.”
The security firm advised, "Disruption of clients' operations through poor cybersecurity practices can also result in legal action such as class action lawsuits."
