Security researchers with Intezer have discovered several misconfigured Apache Airflow instances that exposed sensitive information to anyone on the Internet.
Improperly secured, the Airflow instances were found to expose credentials of cloud services providers, social media platforms, and payment processing services, including AWS, Slack, PayPal, and others.
A highly popular open-source workflow management platform, Apache Airflow is used by organizations in sectors such as cybersecurity, ecommerce, energy, finance, health, information technology, manufacturing, media, and transportation.
Intezer’s security researchers note that their investigation into Airflow misconfigurations has revealed several scenarios leading to the exposure of credentials. In most cases, insecure coding practices is what led to the leak.
The most common way for credentials to be exposed, the researchers say, is through the presence of hardcoded passwords inside the Python Directed Acyclic Graph (DAG), which is a collection of tasks, representing the primary concept in Airflow.
Credentials are often exposed through the “variables” feature in Airflow as well, the researchers say. These variables, which can be used globally across DAG scripts, often include hardcoded credentials.
In Airflow, credentials are correctly stored in connections, securely encrypted in a database using a Fernet encryption key, but in some cases they end up in the Extra field of the connection, in plaintext, meaning that anyone can view them.
Passwords and keys (including plaintext Fernet keys) are also stored in the configuration file created when Airflow is started for the first time. The configuration file can be accessed from the web server user interface if the setting “expose_config” is set to “True.”
Additionally, Airflow prior to version 1.10.13 would log in plaintext all credentials added via the command line interface (CLI), an issue tracked as CVE-2020-17511.
“Many exposed Airflow instances that we found revealed information about the services and platforms that companies are using in their software development environments. […] Exposing information about tools and packages used in the organization’s infrastructure can jeopardize the organization and also be leveraged by threat actors in supply chain attacks,” Intezer notes.
Airflow plugins or features could also be abused to run malicious code on the exposed production environments, the researchers say.
To stay protected, users are advised to update to the latest Apache Airflow version and to ensure that only authorized users have access to their deployments.
“What may seem like just a minor oversight in coding practices (as researchers indicated was likely the case here) can ultimately have devastating repercussions on a brand’s reputation, as customer trust relies first and foremost on the security of their data. With a comprehensive security posture assessment of the applications hosted within their cloud environment along with the ability to remediate issues in real-time, companies can safely operate without putting customer data at risk,” Pravin Rasiah, VP of Product at CloudSphere, said in an emailed comment.
Related: Survey Shows Reasons for Cloud Misconfigurations are Many and Complex
Related: Despite Warnings, Cloud Misconfiguration Problem Remains Disturbing