<div><span style="color: #337fe5;"><strong>Description</strong></span><br /><br /><div style="text-align: justify;"><strong>Introduction</strong></div><div style="text-align: justify;">Apache Kylin is an open source, distributed analytical data warehouse that provides SQL query interface and multi-dimensional analysis (OLAP) capabilities on Hadoop to support super large-scale data. It was originally developed by eBay Inc. and contributed to the open source community.</div><br /><div style="text-align: justify;"><strong>Summary</strong><br />
On May 28, 2020, Apache Kylin officially released a security bulletin that disclosed its remote code execution vulnerability. Kylin has some RESTful APIs that can connect os command to strings entered by users and attackers can execute arbitrary os command on Kylin without any protection or verification.</div><br /><strong>Analysis</strong><br />
Patch:<br /><br /><br /><div style="text-align: justify;">As you can see from the latest updated patch, the checkParameter() method is added to the format method of migrateCube. This method replaces special characters in the incoming string.</div><br /><br /><div style="text-align: justify;">The COMMAND_INJECT_REX attribute that stores special characters is defined in the checkParameter() method. And we can replace the special characters defined by the COMMAND_INJECT_REX attribute in the incoming string with null.<br /><br />
According to the migrateCube method changed by the patch, find the corresponding route in the controller to determine the entry point of the vulnerability exploit.</div><br /><br /><div style="text-align: justify;">Above all, the vulnerability exploitation ends.<br /><br /><strong>Reproduction</strong><br />
We build Apache Kylin 3.0.1 environment to reproduce this vulnerability and configure the following three attribute values.<br /><br />
kylin.tool.auto-migrate-cube.enabled=true<br /><br />
kylin.tool.auto-migrate-cube.src-config=/home/admin/apache-kylin-3.0.1-bin-hbase1x<br /><br />
kylin.tool.auto-migrate-cube.dest-config=/tmp/kylin.properties</div><br />
Configuration is as follows:<br /><br /><br />
We send crafted malicious HTTP requests and execute code, as show below:<br /><br /><br /><br /><div style="text-align: justify;"><strong>Impacts</strong><br />
Affected Apache Kylin versions:<br /><br />
Kylin 2.3.0 - 2.3.2<br />
Kylin 2.4.0 - 2.4.1<br />
Kylin 2.5.0 - 2.5.2<br />
Kylin 2.6.0 - 2.6.5<br />
Kylin 3.0.0-alpha<br />
Kylin 3.0.0-alpha2<br />
Kylin 3.0.0-beta<br />
Kylin 3.0.0 - 3.0.1<br /><br /><strong>Timeline</strong><br />
May 28, 2020 Apache Kylin officially released Apache Kylin remote code execution CVE-2020-1956.<br />
May 28, 2020 Sangfor FarSight Labs reproduced this vulnerability successfully, then released alerts and solutions.<br /><br /><strong>Reference</strong><br /><a href="https://kylin.apache.org/docs/security.html" rel="noopener noreferrer" target="_blank"><span style="text-decoration: underline; color: #337fe5;">https://kylin.apache.org/docs/security.html</span></a><br /><a href="https://github.com/apache/kylin/commit/9cc3793ab2f2f0053c467a9b3f38cb77…; rel="noopener noreferrer" target="_blank"><span style="text-decoration: underline; color: #337fe5;">https://github.com/apache/kylin/commit/9cc3793ab2f2f0053c467a9b3f38cb77… /><br /><span style="color: #337fe5;"><strong>Solution</strong></span><br /><br /><strong>Remediation Solution</strong><br />
The official has released a version to fix this vulnerability. Please visit the following link to download the latest version.<br /><br /><a href="http://kylin.apache.org/download/" rel="noopener noreferrer" target="_blank"><span style="text-decoration: underline; color: #337fe5;">http://kylin.apache.org/download/</span></a><br /><br /><strong>Sangfor Solution</strong><br />
Sangfor Host Security updated its detection capability as soon as the vulnerability was discovered. Users can update to quickly detect whether the network is affected by this high risk vulnerability and prevent it from being used by attackers. Offline users need to download the offline update to get detection capabilities for this vulnerability while online users can obtain detection capabilities automatically.<br /><br />
For Sangfor NGAF customers, keep NGAF security protection rules up to date.<br /><br />
Sangfor Cyber Command is capable of detecting attacks which exploit this vulnerability and can alert users in real time. Users can correlate Cyber Command to Sangfor NGAF to block an attacker's IP address.<br /><br />
Sangfor SOC makes sure that Sangfor security specialists are available 24/7 for any security issues you may have. When vulnerability protection rules were released, Sangfor security experts checked and updated customers' vulnerability detection devices, and performed vulnerability scanning of the customers' network environment to ensure that customer hosts are free from this vulnerability. For users with vulnerabilities, we reviewed and updated device policies to ensure protection capability against this vulnerability.</div></div>
Tag :
Sangfor Technologies is a leading vendor of Cyber Security and Cloud Computing solutions. The majority of the blogs that you are seeing here are written by professionals working at Sangfor. We have a team of content writers, product managers and marketing experts who are taking care of writing articles on various topics that are relevant to our audience. Our team ensures that the articles published are factually correct and helpful to our customers and partners to know more about the recent trends on Cyber Security and Cloud, and how it can help their organizations.
