Apache Kylin is an open source, distributed analytical data warehouse that provides SQL query interface and multi-dimensional analysis (OLAP) capabilities on Hadoop to support super large-scale data. It was originally developed by eBay Inc. and contributed to the open source community.
On May 28, 2020, Apache Kylin officially released a security bulletin that disclosed its remote code execution vulnerability. Kylin has some RESTful APIs that can connect os command to strings entered by users and attackers can execute arbitrary os command on Kylin without any protection or verification.
As you can see from the latest updated patch, the checkParameter() method is added to the format method of migrateCube. This method replaces special characters in the incoming string.
The COMMAND_INJECT_REX attribute that stores special characters is defined in the checkParameter() method. And we can replace the special characters defined by the COMMAND_INJECT_REX attribute in the incoming string with null.
According to the migrateCube method changed by the patch, find the corresponding route in the controller to determine the entry point of the vulnerability exploit.
Above all, the vulnerability exploitation ends.
We build Apache Kylin 3.0.1 environment to reproduce this vulnerability and configure the following three attribute values.
Configuration is as follows:
We send crafted malicious HTTP requests and execute code, as show below:
Affected Apache Kylin versions:
Kylin 2.3.0 - 2.3.2
Kylin 2.4.0 - 2.4.1
Kylin 2.5.0 - 2.5.2
Kylin 2.6.0 - 2.6.5
Kylin 3.0.0 - 3.0.1
May 28, 2020 Apache Kylin officially released Apache Kylin remote code execution CVE-2020-1956.
May 28, 2020 Sangfor FarSight Labs reproduced this vulnerability successfully, then released alerts and solutions.
The official has released a version to fix this vulnerability. Please visit the following link to download the latest version.
Sangfor Host Security updated its detection capability as soon as the vulnerability was discovered. Users can update to quickly detect whether the network is affected by this high risk vulnerability and prevent it from being used by attackers. Offline users need to download the offline update to get detection capabilities for this vulnerability while online users can obtain detection capabilities automatically.
For Sangfor NGAF customers, keep NGAF security protection rules up to date.
Sangfor Cyber Command is capable of detecting attacks which exploit this vulnerability and can alert users in real time. Users can correlate Cyber Command to Sangfor NGAF to block an attacker's IP address.
Sangfor SOC makes sure that Sangfor security specialists are available 24/7 for any security issues you may have. When vulnerability protection rules were released, Sangfor security experts checked and updated customers' vulnerability detection devices, and performed vulnerability scanning of the customers' network environment to ensure that customer hosts are free from this vulnerability. For users with vulnerabilities, we reviewed and updated device policies to ensure protection capability against this vulnerability.