Cloud Security, Application security, Cloud Security

Misconfigured Apache Airflow instances expose credentials on AWS, PayPal and Slack

Visitors arrive at the cloud pavillion of Amazon Web Services at a technology trade fair on March 14, 2016, in Hanover, Germany. (Sean Gallup/Getty Images)

Researchers on Monday reported that misconfigured instances of the open-source workflow management platform Apache Airflow exposed credentials for popular platforms and services such as Amazon Web Services, PayPal, and Slack.

In a blog post, Intezer researchers said sensitive data was exposed across any number of industries, including the media, finance, manufacturing, information technology, biotech, e-commerce, health, energy, cybersecurity, and transportation.

The researchers said exposing users credentials can cause data leakage or offer attackers the ability to move laterally across networks. In addition, customer data exposed because of a data leak can lead to violations of data protection laws and the possibility of legal action. There’s also the potential for malicious code execution and malware to launch on the exposed production environments and even on Apache Airflow itself, according to the researchers.

Unlike more traditional credential leaks that impact individual user accounts, these credential leaks impact entire application framework instances, making them very significant, said Jake Williams, co-founder and CTO at BreachQuest.

Threat actors might use leaked credentials to compromise entire databases containing sensitive user content, Williams said. “In some cases, threat actors might be able to use these credentials to compromise entire application containers and/or run their own containers using a victim’s billing information. In short, while user information wasn’t directly compromised through these leaks, they open the door to compromises of user data in massive quantities.”

Hank Schless, senior manager of security solutions at Lookout, said misconfigured cloud services and apps are a massive security risk to any organization. These days, a simple misconfiguration could become the backstage pass that an attacker needs to access the entire infrastructure. Attackers are constantly crawling the internet to find misconfigured or unsecured services that they can easily access. 

“One misconfigured service could give an attacker all they need to move laterally throughout the entire infrastructure – especially in large complex infrastructures where the attacker can move quietly without setting off any alarm bells,” Schless said. “This particular incident is concerning because of the number and variety of cloud services that Airflow supports. As one of the most popular open-source solutions in the world, the effects of the incident are far-reaching.”

Chuck Everette, director of cybersecurity advocacy at Deep Instinct, added that it’s a significant event because Apache Airflow has become one of the top open-source Python workflow management platforms used to create and schedule work flows for business and IT tasks. Some tens of thousands of organizations globally use Apache Airflow, Everette said.

“Just as the Kubernetes misconfiguration vulnerability showed a few months back, the practice of delaying patching can have catastrophic effects,” Everette said. “Companies need to have policies in place to review their patching processes and to validate all patching has taken place on a monthly or weekly basis. Also companies need to put in practice a policy of reviewing and applying coding best practices in their environments. All code should be code-tested and pen-tested before going live. They should look for vulnerabilities and common misconfigurations such as crosssite-scripting (XSS) and others.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.