Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Data Protection

Misconfigured Apache Airflow Instances Expose Sensitive Information

Security researchers with Intezer have discovered several misconfigured Apache Airflow instances that exposed sensitive information to anyone on the Internet.

Improperly secured, the Airflow instances were found to expose credentials of cloud services providers, social media platforms, and payment processing services, including AWS, Slack, PayPal, and others.

Security researchers with Intezer have discovered several misconfigured Apache Airflow instances that exposed sensitive information to anyone on the Internet.

Improperly secured, the Airflow instances were found to expose credentials of cloud services providers, social media platforms, and payment processing services, including AWS, Slack, PayPal, and others.

A highly popular open-source workflow management platform, Apache Airflow is used by organizations in sectors such as cybersecurity, ecommerce, energy, finance, health, information technology, manufacturing, media, and transportation.

Intezer’s security researchers note that their investigation into Airflow misconfigurations has revealed several scenarios leading to the exposure of credentials. In most cases, insecure coding practices is what led to the leak.

The most common way for credentials to be exposed, the researchers say, is through the presence of hardcoded passwords inside the Python Directed Acyclic Graph (DAG), which is a collection of tasks, representing the primary concept in Airflow.

Credentials are often exposed through the “variables” feature in Airflow as well, the researchers say. These variables, which can be used globally across DAG scripts, often include hardcoded credentials.

In Airflow, credentials are correctly stored in connections, securely encrypted in a database using a Fernet encryption key, but in some cases they end up in the Extra field of the connection, in plaintext, meaning that anyone can view them.

Passwords and keys (including plaintext Fernet keys) are also stored in the configuration file created when Airflow is started for the first time. The configuration file can be accessed from the web server user interface if the setting “expose_config” is set to “True.”

Advertisement. Scroll to continue reading.

Additionally, Airflow prior to version 1.10.13 would log in plaintext all credentials added via the command line interface (CLI), an issue tracked as CVE-2020-17511.

“Many exposed Airflow instances that we found revealed information about the services and platforms that companies are using in their software development environments. […] Exposing information about tools and packages used in the organization’s infrastructure can jeopardize the organization and also be leveraged by threat actors in supply chain attacks,” Intezer notes.

Airflow plugins or features could also be abused to run malicious code on the exposed production environments, the researchers say.

To stay protected, users are advised to update to the latest Apache Airflow version and to ensure that only authorized users have access to their deployments.

“What may seem like just a minor oversight in coding practices (as researchers indicated was likely the case here) can ultimately have devastating repercussions on a brand’s reputation, as customer trust relies first and foremost on the security of their data. With a comprehensive security posture assessment of the applications hosted within their cloud environment along with the ability to remediate issues in real-time, companies can safely operate without putting customer data at risk,” Pravin Rasiah, VP of Product at CloudSphere, said in an emailed comment.

Related: Survey Shows Reasons for Cloud Misconfigurations are Many and Complex

Related: Despite Warnings, Cloud Misconfiguration Problem Remains Disturbing

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...