Apache Kylin Remote Code Execution Vulnerability CVE-2020-1956

08/06/2020 18:00:27


Description

Introduction
Apache Kylin is an open source, distributed analytical data warehouse that provides SQL query interface and multi-dimensional analysis (OLAP) capabilities on Hadoop to support super large-scale data. It was originally developed by eBay Inc. and contributed to the open source community.

Summary
On May 28, 2020, Apache Kylin officially released a security bulletin that disclosed its remote code execution vulnerability. Kylin has some RESTful APIs that can connect os command to strings entered by users and attackers can execute arbitrary os command on Kylin without any protection or verification.

Analysis
Patch:



As you can see from the latest updated patch, the checkParameter() method is added to the format method of migrateCube. This method replaces special characters in the incoming string.



The COMMAND_INJECT_REX attribute that stores special characters is defined in the checkParameter() method. And we can replace the special characters defined by the COMMAND_INJECT_REX attribute in the incoming string with null.

According to the migrateCube method changed by the patch, find the corresponding route in the controller to determine the entry point of the vulnerability exploit.



Above all, the vulnerability exploitation ends.

Reproduction
We build Apache Kylin 3.0.1 environment to reproduce this vulnerability and configure the following three attribute values.

kylin.tool.auto-migrate-cube.enabled=true

kylin.tool.auto-migrate-cube.src-config=/home/admin/apache-kylin-3.0.1-bin-hbase1x

kylin.tool.auto-migrate-cube.dest-config=/tmp/kylin.properties

Configuration is as follows:



We send crafted malicious HTTP requests and execute code, as show below:





Impacts
Affected Apache Kylin versions:

Kylin 2.3.0 - 2.3.2
Kylin 2.4.0 - 2.4.1
Kylin 2.5.0 - 2.5.2
Kylin 2.6.0 - 2.6.5
Kylin 3.0.0-alpha
Kylin 3.0.0-alpha2
Kylin 3.0.0-beta
Kylin 3.0.0 - 3.0.1

Timeline
May 28, 2020 Apache Kylin officially released Apache Kylin remote code execution CVE-2020-1956.
May 28, 2020 Sangfor FarSight Labs reproduced this vulnerability successfully, then released alerts and solutions.

Reference
https://kylin.apache.org/docs/security.html
https://github.com/apache/kylin/commit/9cc3793ab2f2f0053c467a9b3f38cb7791cd436a#

Solution

Remediation Solution
The official has released a version to fix this vulnerability. Please visit the following link to download the latest version.

http://kylin.apache.org/download/

Sangfor Solution
Sangfor Host Security updated its detection capability as soon as the vulnerability was discovered. Users can update to quickly detect whether the network is affected by this high risk vulnerability and prevent it from being used by attackers. Offline users need to download the offline update to get detection capabilities for this vulnerability while online users can obtain detection capabilities automatically.

For Sangfor NGAF customers, keep NGAF security protection rules up to date.

Sangfor Cyber Command is capable of detecting attacks which exploit this vulnerability and can alert users in real time. Users can correlate Cyber Command to Sangfor NGAF to block an attacker's IP address.

Sangfor SOC makes sure that Sangfor security specialists are available 24/7 for any security issues you may have. When vulnerability protection rules were released, Sangfor security experts checked and updated customers' vulnerability detection devices, and performed vulnerability scanning of the customers' network environment to ensure that customer hosts are free from this vulnerability. For users with vulnerabilities, we reviewed and updated device policies to ensure protection capability against this vulnerability.

Our Social Networks

Global Service Center:

COPYRIGHT © 2000-2020 SANGFOR TECHNOLOGIES. ALL RIGHTS RESERVED.