As workflow management platforms are indispensable for automating business and IT tasks, making it easier to create, schedule and monitor workflows; they are typically cloud-based for increased accessibility and scalability. However, misconfigured instances could make these platforms ideal for exploitation by hackers.
Intezer researchers discovered a misconfiguration in the popular workflow platform, with Apache Airflow having a number of unprotected instances. These unprotected instances expose sensitive data of several popular companies across the world running such services as Amazon Web Services (AWS), Google Cloud Platform (GCP), and GitHub Enterprise Cloud.
How Misconfigured Airflows leads to Credentials leakage of Popular Services
The configuration file (airflow.cfg) which is created when Airflow is started contains Airflow’s configuration and it can be changed. This file can also contain sensitive information such as passwords and keys.
The main risks of a misconfigured Airflow instance is the exposed credentials, which can give a threat actor access to legitimate business accounts and databases, with the ability to perform lateral movement. If the setting in the file “expose_config” is set to “True,” it makes it possible for anyone to access the configuration from the web server UI, which can expose credentials.
According to the researchers, the most common way to leak credentials in Airflow is through insecure coding practices, with many instances of hardcoded passwords discovered inside the Python DAG code. There is the possibility too that Airflow plugins can be abused to run malicious code.
When these instances are exposed to the internet the data becomes accessible to everyone, since the authentication is disabled. And the leakage of sensitive data essentially means that attackers can have access to information on the organization with the exposed server.
How to Mitigate against Apache Airflow bug?
Apache made great progress with Airflow in terms of security features implemented in version 2.0, which changes included the following: enforced login and authentication required for all operations in the REST API, among others
Therefore, it is strongly recommended that users should update their version of Airflow instances to the latest version. And also make sure that only authorized users can connect to the platform.