Cybersecurity researchers on Monday found misconfigurations across more mature variations of Apache Airflow circumstances belonging to a range of substantial-profile firms throughout various sectors, ensuing in the publicity of delicate qualifications for common platforms and companies these as Amazon Web Companies (AWS), Binance, Google Cloud Platform (GCP), PayPal, Slack, and Stripe.
“These unsecured cases expose delicate data of providers across the media, finance, producing, information and facts technological know-how (IT), biotech, e-commerce, wellness, vitality, cybersecurity, and transportation industries,” Intezer mentioned in a report shared with The Hacker Information.
Initially released in June 2015, Apache Airflow is an open-source workflow administration system that permits programmatic scheduling and monitoring of workflows on AWS, GCP, Microsoft Azure, and other third-social gathering services. It is really also 1 of the most well known process orchestration applications, adopted by Luigi, Kubeflow, and MLflow.
Some of the most typical insecure coding methods uncovered by Intezer contain the use of hard-coded databases passwords in Python DAG code or variables, plaintext credentials in the “Additional” industry of connections, and cleartext keys in configuration files (airflow.cfg).
Chief amongst the problems linked with misconfigured Airflow scenarios is the exposure of qualifications that could be abused by risk actors to obtain access to accounts and databases, providing them the ability to unfold laterally or outcome in knowledge leakage, not to mention direct to violation of details protection guidelines and give an perception into an organization’s applications and packages, which could later be exploited to stage provide-chain assaults.
“If a massive variety of passwords are obvious, a danger actor can also use this facts to detect patterns and widespread terms to infer other passwords,” Intezer researchers claimed. “These can be leveraged in dictionary or brute-force-design attacks against other platforms.”
Even additional regarding is also the likelihood that malware can be launched on the uncovered output environments by leveraging the Variables attribute to modify the container graphic variables to point to a distinct impression containing unauthorized code.
Apache Airflow, for its portion, has remediated a ton of safety challenges with variation 2.. that was produced in December 2020, producing it essential that people of the software program update to the most current edition and undertake protected coding practices to protect against passwords from being exposed.