A critical vulnerability in Netflix’s Genie engine’s open-source version lets attackers run malicious code remotely, affecting underlying big data structures. The bug has already been designated as CVE-2024-4701 and carries a CVSS score of 9.9 out of 10.
Organisations, including Netflix, use Genie to run and monitor several big data jobs and workflows across different computational clusters. The vulnerability affects everyone running a custom instance of Genie OSS via the local file system that uploads and stores user-submitted file attachments. Netflix has assessed the vulnerability as relatively easy to exploit, with no special user privileges or required interaction.
Researchers from Contrast Security discovered the vulnerability and reported it to Netflix. The issue was described as enabling remote code execution (RCE) during file uploads. An attacker can upload a malicious file with arbitrary code using the file upload system and take over the platform.
Netflix identified the cause of the problem as the API accepting a user-provided filename and using the same name when writing the uploaded file to disk. This allowed threat actors to manipulate the file name to break the default attachment storage path and use path traversal to get access to restricted directories on the server.
If successful, the attack allows a threat actor to access and even download any big data sets that the affected Genie instance is operating on, eventually leading to a massive data breach or worse.
The good news is that the bug doesn’t directly affect Netflix’s streaming platform, any other services or its own Genie instance. The bug was present in Genie OSS versions older than 4.3.18 and has since been fixed, with Netflix releasing a security advisory on GitHub.
Users who did not store attachments locally on the underlying file system are safe from the issue. For anyone who can’t update their Genie OSS instance immediately, it’s recommended that you restrict Genie’s access to the network and any publicly accessible instances where a user can interact with the API.
In the News: Eventbrite found hosting illegal events offering drugs and more