Critical vulnerabilities in the OpenMetadata framework have been exploited in a cyber attack targeting Kubernetes environments. The attack poses significant risks for organizations using OpenMetadata in their infrastructure.
OpenMetadata is an open-source platform designed to manage metadata across various data sources. It plays a pivotal role in streamlining data governance and management processes for organisations.
However, vulnerabilities in versions before 1.3.1, including CVE-2024-28255, CVE-2024-28847, CVE-2024-28253, CVE-2024-28848, and CVE-2024-28254, have exposed a critical security flaw exploited by attackers.
The attack commences with threat actors scanning the internet for Kubernetes workloads running vulnerable versions of OpenMetadata. Upon identifying a target, attackers exploit the vulnerabilities to bypass authentication mechanisms and gain remote code execution capabilities within the Kubernetes environment.
In an email to Candid.Technology, OpenMetadata clarified that they patched the following vulnerabilities in the 1.2.4 update on January 5, 2024: CVE-2024-28255, CVE-2024-28254, CVE-2024-28847 and CVE-2024-28848. The remaining flaw, CVE-2024-28253 was patched in March with the 1.3.1 update.
“We patched the most crucial ones, CVE-2024-28255 CVE-2024-28254, as well as two additional ones, CVE-2024-28847 CVE-2024-28848, in 1.2.4 on Jan 5,” OpenMetadata spokesperson told Candid.Technology. “The remaining CVE-2024-28253 vulnerability only applies to existing users that are already registered and authenticated within OpenMetadata. This was patched in 1.3.1 in March.”
The attackers follow a meticulously planned sequence of actions:
- Initial access: Attackers establish a foothold by exploiting OpenMetadata vulnerability, allowing them to execute code on containers running the vulnerable OpenMetadata image.
“In this specific attack, the attackers send ping requests to domains that end with oast[.]me and oast[.]pro, which are associated with Interactsh, an open-source tool for detecting out-of-band interactions,” explained researchers.
- Reconnaissance: The attackers conduct reconnaissance activities to assess their level of control and gather intelligence about the victim’s environment. This includes querying network and hardware configurations, identifying active users, and probing for sensitive environment variables containing connection strings and credentials.
- Payload download and execution: Following reconnaissance, attackers download crypto mining-related malware from a remote server, often located in regions like China. They then elevate file permissions, execute the malware, and remove initial traces from the compromised systems.
Researchers also found other malware on the attacker’s server for both Linux and Windows. The attacker also sent a personal message to the victims explaining the situation and why the attack was being processed.
To maintain control over the compromised systems, attackers initiate a reverse shell connection using tools like Netcat to access and manipulate the containerised environment remotely.
For persistence, attackers use cronjobs for scheduled task execution, allowing the malicious code to run at predetermined intervals without detection.
Researchers have advised organisations to protect their Kubernetes environment by updating OpenMetadata to version 1.3.1 or later, implementing strong authentication tools, and utilising robust security solutions like cloud defenders.
Update [26/04/24]: The story was updated with OpenMetadata’s answers to our queries.
In the News: Apple approves AltStore PAL for EU launch at €1.50/year