A PayPal office complex. PayPal credentials were among those exposed by recently discovered misconfigured Apache Airflow instances. (Yaeli778, CC BY-SA 4.0 https://creativecommons.org/licenses/by-sa/4.0, via Wikimedia Commons)

The recent disclosure of misconfigurations in Apache Airflow instances that exposed thousands of credentials for Slack, PayPal and AWS and other services underscored the potential dangers associated with misconfigured cloud-based workflow management platforms.

If used correctly, workforce management platforms can introduce helpful automation into a company’s IT and businesses process. But if used carelessly, they can result in leaks of database passwords, API keys and cloud credentials that could potentially affect entire application framework instances and/or result in malicious code execution on exposed production environments, as reported this week by SC Media.

The ripple effect of exploited credentials or a data leak can be significant, allowing attackers to potentially engage in lateral movement and compromise multiple entities. For instance, “If a large number of passwords are visible, a threat actor can… use this data to detect patterns and common words to infer other passwords,” stated a blog post report from Intezer, whose researchers discovered the misconfigurations. “These can be leveraged in dictionary or brute-force-style attacks against other platforms.”

According to Intezer, the most common ways to leak credentials in Airflow is to use hardcoded passwords on the platform, either inside developers’ Python DAG code or in Airflow’s “variables” feature. These kinds of mistakes should be avoided regardless of which workflow management solutions your company is using. After all, “Apache Airflow is just one example of the myriad of third-party tooling we plug into our services to orchestrate and manage them. These third-party tools do not necessarily ship secure by default,” said Archie Agarwal, founder and CEO at ThreatModeler.

“The lesson is we have to be very mindful of how credentials are being stored and processed in third-party software that interact with other our services and need to be authenticated with them. We cannot make the assumption they are securely stored and processed.”

And yet, some user organizations may be falsely assuming that risk levels are negligible with workflow solutions.

“The biggest risk to these technologies is that organizations don’t appreciate that they are a risk,” said John Bambenek, principal threat hunter at Netenrich. “If something needs workflow management, odds are it’s valuable information or business processes that rely on it. If businesses find value in it, so will criminals. Workflow management sounds about as interesting as a trade show on accounting software, but it touches valuable information so it should be front of mind of CISOs.” 

Indeed, there are many kinds information that be exposed through unsafe workflow management practices. “Lots of different data types need workflow management: financial information, medical information, manufacturing information, etc,” Bambenek continued. “Ultimately, the information that makes a business 'go' is what such systems would use, so whatever the key information is for a particular organization, that’s what is at risk.”

Moreover, if these tools are used for IT tasks, then an exploit of such systems could also be used in major compromises like SolarWinds, he added.

Users of workflow management systems are advised to take precautions to ensure proper usage. Among the most important steps is to regularly update these tools’ software. Indeed, Intezer reported that most of its research pertained to “older, less secure versions of Apache Airflow.”

“Newer versions leverage secure APIs and sensitive data is cleaned from the logs,” explained Agarwal. Due to better authentication and bolstered protections, “now is a good time to ensure your Apache Airflow version is up to date and leveraging these secure protocols.”

“With that said, patch management isn’t a panacea. After all, “vulnerability scanners can identify missing patches, but often won’t detect misconfigurations,” said Jake Williams, co-founder and CTO at BreachQuest.

For that reason, secure code development is also important. Intezer’s report warns readers that passwords should not be hardcoded and that “long names of images and dependencies should be utilized.”

Specifically with Airflow, Intezer also recommends that users store credentials via “Connections,” noting that “when a connection with a password or token is added to Airflow, the password is securely encrypted in a database using the Fernet key.” The company also advised organizations to adopt runtime cloud-native application security.

Additionally, Bambenek suggested that any newer technology, including workflow solutions, should “go through a threat modeling exercise,” ideally conducted by “a seasoned threat intelligence analyst or pentester who knows how attackers think.”

“From there, once you can enumerate the business risks in financial terms, that’ll dictate what level of protections you can afford – because everything costs money in either time or product,” Bambenek continued. “Such systems need to be protected from accepting instructions from the outside (i.e. never publicly-facing and strong access-controls to prevent them reaching out of the organization to communicate), and the data that flows through should be encrypted. Lastly, for IT management, all tasks should be analyzed in at least automated ways to ensure nothing unusual is taking place.”