Intezer Discovered Several Misconfigured Apache Airflow Instances


Intezer security experts uncovered many Apache Airflow instances that were misconfigured and exposed sensitive information to anyone on the Internet.

The Airflow instances were discovered to be improperly secured, exposing credentials for cloud service providers, social networking platforms, and payment processing services such as AWS, Slack, PayPal, and others.

Apache Airflow is a widely used open-source workflow management software in industries like cybersecurity, ecommerce, energy, finance, health, information technology, manufacturing, media, and transportation.

According to Intezer’s security researchers, their analysis into Airflow misconfigurations has found many scenarios that could lead to credential leakage. In most situations, the leak was caused by insecure coding methods.

The inclusion of hardcoded passwords inside the Python Directed Acyclic Graph (DAG), which is a collection of activities that represents the primary notion in Airflow, is the most prevalent way for credentials to be exposed, according to the researchers.

According to the researchers, credentials are frequently exposed using Airflow’s “variables” function. Hardcoded credentials are frequently included in these variables, which can be utilised globally across DAG programmes.

Credentials are stored appropriately in Airflow connections, securely encrypted in a database using a Fernet encryption key, but they occasionally get up in the Extra field of the connection, in plaintext, allowing anyone to see them.

Passwords and keys (including plaintext Fernet keys) are also saved in the configuration file that is created when Airflow is first launched. If the setting “expose config” is set to “True,” the configuration file can be accessed via the web server user interface.

Additionally, previous to version 1.10.13, Airflow would report all credentials entered via the command line interface (CLI) in plaintext, which was identified as CVE-2020-17511.

“Many of the accessible Airflow instances we discovered disclosed details about the services and platforms that businesses use in their software development environments. […] Information about tools and packages used in an organization’s infrastructure can put the organisation at risk, and it can also be utilised by threat actors in supply chain attacks, according to Intezer.

According to the researchers, Airflow plugins or features might be exploited to launch malicious malware on the exposed production systems.

To stay safe, users should update to the most recent version of Apache Airflow and make sure that only authorised users have access to their deployments.

“What may appear to be a simple code error (as researchers believe was the case here) might have far-reaching consequences for a brand’s reputation, as customer trust is based first and foremost on the security of their data. Companies can safely operate without putting customer data at risk with a comprehensive security posture assessment of the applications hosted within their cloud environment, as well as the ability to remediate issues in real-time,” said Pravin Rasiah, VP of Product at CloudSphere, in an emailed comment.

Jennifer Thomas
Jennifer Thomas is the Co-founder and Chief Business Development Officer at Cybers Guards. Prior to that, She was responsible for leading its Cyber Security Practice and Cyber Security Operations Center, which provided managed security services.