Recent reports indicate that Metabase has been discovered with an unauthenticated Remote Code Execution (RCE) vulnerability that lets threat actors compromise servers and execute arbitrary commands. Metabase has released patches for this vulnerability.
Metabase is an open-source business intelligence that can be used for creating charts and dashboards with a variety of databases and sources.
The project has over 33,000 stars on GitHub, which has patched several vulnerabilities in recent times.
As per the report from Assetnote, more than 20,000 instances of Metabase were exposed to the internet, which also exposes sensitive data sources that are connected to these Metabase instances.
A pre-auth RCE on these instances would open a kingdom of information for a threat actor.
For achieving pre-auth RCE, the researchers initially started a vulnerable Metabase instance with the below command, which starts the instance on port 3000.
In addition, the exploit does not require any special configurations on the Metabase.
docker run -d -p 3000:3000 –name metabase metabase/metabase:v0.46.6
When setting up the Metabase initially, a setup token is provided to the users, which allows users to complete the setup process. The setup token was configured to be used only once and erased after use.
However, reports indicate that some Metabase instances still had the setup token accessible to unauthenticated users by the following methods,
- HTML source of index/login page has the setup-token in a JSON object
- /api/sessions/properties endpoint also exposed the setup-token, which was accessible without authentication.
There were several instances where the Metabase did not wipe the setup-token value.
Other instances had the “setup-token”:null. This was due to the fact that there was a codebase commit change in Jan 2022 which had the “setup/clear-token!” Value set.
This means that there was another change in the metabase critical flow that led to the setup token prevailing on the vulnerable instances.
Furthermore, Metabase prompts users to connect to a data source in which the /api/setup/validate endpoint was found. This endpoint takes the JDBC URI value as part of the POST request.
An SQL injection was found in the H2 db driver, which has the INIT parameter. H2 db driver uses an INIT parameter which is an SQL query for the initiation of the database connection.
Metabase provides a sample database that is available in a JAR file which can be used for chaining the attack without corrupting the database.
Combining all these puzzles creates a reverse shell that can be used to extract several sensitive pieces of information from the data sources of the Metabase instances.
Affected Products
As per the security advisory of Metabase, the following versions were released.
- v0.45.4.1 and v1.45.4.1
- v0.44.7.1 and v1.44.7.1
- v0.43.7.2 and v1.43.7.2
Users of Metabase are recommended to upgrade to the latest version of Metabase to fix this vulnerability.
Keep yourself informed about the latest Cyber Security News by following us on GoogleNews, Linkedin, Twitter, and Facebook.