It’s confirmed. A Metabase critical vulnerability, which could lead to pre-authenticated remote code execution on vulnerable installations, have been found exploited in the wild.
Vulnerability alert service inTheWild has listed the Metabase critical vulnerability, tracked as CVE-2023-38646, as being exploited in the wild
The Metabase critical vulnerability impacts open-source versions prior to 0.46.6.1 and Metabase Enterprise versions before 184.108.40.206.
Metabase is a widely used open-source business intelligence tool.
The Metabase critical vulnerability allows attackers to execute arbitrary code on a target system without the need for any authentication, potentially leading to unauthorized access to sensitive data sources.
Metabase critical vulnerability: The details
Metabase boasts over 33,000 stars on GitHub and has gained popularity for its ability to create charts and dashboards using data from various databases and sources.
Metabase issued an advisory on June 20, warning that an unauthenticated attacker could exploit the vulnerability to execute arbitrary commands with the same privileges as the Metabase server on the affected server.
Without mincing words about the situation, the company listed the vulnerability, later coded CVE-2023-38646, as “extremely severe”.
The company has also addressed the issue in the following older versions:
0.45.4.1 and 220.127.116.11
0.44.7.1 and 18.104.22.168
0.43.7.2 and 22.214.171.124
The security research team at Assetnote, responsible for this latest discovery, determined that there are about 20,000 instances of Metabase exposed on the external internet as on July 22.
According to the report, the pre-authentication Remote Code Execution (RCE) vulnerability in this tool carries significant consequences due to its purpose of connecting to highly sensitive data sources.
Exploiting this vulnerability could grant unauthorized access to critical sections of an organization’s network, potentially allowing attackers to gain control over the system and access sensitive data sources.
The origins of the Metabase critical vulnerability
“When reviewing the different flows inside Metabase and capturing the traffic from the installation steps of the product, we noticed that there was a special token that was used to allow users to complete the setup process,” said the Assetnote report.
“This token was called the setup-token and most people would assume that the setup flow can only be completed once (the first setup).”
However, the research team found that the “setup-token” was still present and accessible to unauthenticated users through specific methods.
Further investigation revealed that this issue was introduced in a code refactor made in January 2022, leading to instances set up after this date being vulnerable. Older Metabase instances did not have their “setup-token” exposed.
The security researchers then proceeded to explore the exploitation process, looking for a path from an exposed “setup-token” to reliable remote code execution.
Metabase’s setup phase prompts users to connect to a datasource/database, which involves a validation endpoint. The researchers discovered a SQL injection vulnerability within the H2 database driver used by Metabase.
By exploiting this vulnerability, they were able to execute arbitrary code without relying on the INIT keyword, which was previously blocked by Metabase as a countermeasure.
Metabase critical vulnerability CVE-2023-38646: Patch immediately
“We’ll be releasing the patch publicly, as well as a CVE and an explanation in two weeks. We’re delaying release to give our install base a bit of extra time before this is widely exploited,” the company assured on July 20.
As in several instances we saw earlier, threat actors have seemingly swooped in to make the most of the Metabase critical vulnerability, resulting in its exploitation in the wild.
Users of Metabase were advised to ensure their installations are up to date and to follow best security practices when configuring the tool to minimize the risk of exploitation.
Security-conscious organizations were encouraged to monitor updates from Metabase and promptly apply any security patches released by the project.