This issue is a result of a change in default configuration of DAGs when the Airflow version was upgraded from 2.3.x to 2.4.x. The DAG id was changed from DAG1 to DAG2, and the old DAG1 was marked as deprecated. Therefore, DAG1 started to be disabled by default. However, there was no way to disable DAG2 because it was marked as the default DAG.

The vulnerability exists due to lack of proper validation of the old DAG1 run_id. An attacker can manually provide a run_id for DAG1, which is still enabled. Therefore, when Airflow executes DAG1, it will continue to use the old DAG1 configuration, which was enabled by the attacker. An attacker can trigger DAG1 with a run_id of DAG1, and the old DAG1 will be invoked. An attacker with UI access can manually provide a run_id of DAG1, and the Airflow scheduler will continue to use the old DAG1 configuration, which was enabled by the attacker.

CVE-2018-17806 Apache Airflow version prior to 2.4.0 has a vulnerability that allows an attacker with UI access who can trigger DAGs, to execute arbitrary commands via manually provided run_id parameter. This issue affects Apache Airflow Apache Airflow versions prior to 2.4.0.

Summary of Vulnerability

In Apache Airflow versions prior to 2.4.0, the DAG id was changed from DAG1 to DAG2, and the old DAG1 was marked as deprecated. When this change was made, an attacker with UI access who can trigger DAGs can execute arbitrary commands via manually provided run_id parameter by abusing the following vulnerability: In Apache Airflow versions prior to 2.4.0, there is no way to disable a default DAG2 because it is marked as the default DAG.

An attacker with UI access can manually provide a run_id of DAG1 and make it appear that it has been executed. As such, when Airflow executes DAG1, it will continue to use the old configuration - which was enabled by not being properly validated - that has been enabled by an attacker with UI access who can trigger DAGs and trigger arbitrary commands using a manual provided run_id for DAG1

Overview of the vulnerability

The vulnerability exists due to lack of proper validation of the old DAG1 run_id. An attacker can manually provide a run_id for DAG1, which is still enabled. Therefore, when Airflow executes DAG1, it will continue to use the old DAG1 configuration, which was enabled by the attacker. An attacker can trigger DAG1 with a run_id of DAG1, and the old DAG1 will be invoked. An attacker with UI access can manually provide a run_id of DAG1, and the Airflow scheduler will continue to use the old DAG1 configuration, which was enabled by the attacker.

Description of the vulnerability

This issue is a result of a change in default configuration of DAGs when the Airflow version was upgraded from 2.3.x to 2.4.x. The DAG id was changed from DAG1 to DAG2, and the old DAG1 was marked as deprecated. Therefore, DAG1 started to be disabled by default. However, there was no way to disable DAG2 because it was marked as the default DAG. The vulnerability exists due to lack of proper validation of the old DAG1 run_id. An attacker can manually provide a run_id for DAG1, which is still enabled. Therefore, when Airflow executes DAG1, it will continue to use the old DAG1 configuration, which was enabled by the attacker. An attacker with UI access can manually provide a run_id of DAG1 and trigger an arbitrary command execution that would allow them access to system level privileges on the target machine via Airflow scheduler process running in user context with user-level privileges that would result in compromise of sensitive information such as passwords stored within Apache Airflow process memory via malicious actions by an attacker who has user-context access or administrator-level access inside Apache Airflow process memory.

Vulnerability overview

An attacker with UI access who is able to trigger DAGs can execute arbitrary commands via the run_id parameter by manually provided.
Apache Airflow version prior to 2.4.0 has a vulnerability that allows an attacker with UI access who can trigger DAGs, to execute arbitrary commands via manually provided run_id parameter. This issue affects Apache Airflow versions prior to 2.4.0.

Timeline

Published on: 11/14/2022 10:15:00 UTC
Last modified on: 11/16/2022 18:53:00 UTC

References