A misconfigured Apache Airflow to AWS Account Compromise

Recon

My hypothesis became stronger when I did a quick search over Shodan to actually see how many of them are exposed over the internet and vulnerable to CVE-2020–17526. Also to add to this, by default apache airflow doesn’t provide authentication in the older versions. A simple search revealed that there are more than 300 airflow instances publically exposed over the internet without any authentication.

Exploit CVE-2020–17526

Privilege Escalation

  1. AWS Keys are being hardcoded in the connection tab.
  2. airflow.cfg configuration widely open and exposing postgress Connection string.

Remediation

Conclusion: Learning for organizations

--

--

Security Engineer @Microsoft | DevSecOps | Speaker | Breaking stuff to learn | Featured in Forbes, BBC| Acknowledged by Google, NASA, Yahoo, UN etc

Love podcasts or audiobooks? Learn on the go with our new app.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Avinash Jain (@logicbomb)

Avinash Jain (@logicbomb)

Security Engineer @Microsoft | DevSecOps | Speaker | Breaking stuff to learn | Featured in Forbes, BBC| Acknowledged by Google, NASA, Yahoo, UN etc