Description
Metabase is an open-source business intelligence and analytics platform. Prior to versions 0.43.7.3, 0.44.7.3, 0.45.4.3, 0.46.6.4, 1.43.7.3, 1.44.7.3, 1.45.4.3, and 1.46.6.4, a vulnerability could potentially allow remote code execution on one's Metabase server. The core issue is that one of the supported data warehouses (an embedded in-memory database H2), exposes a number of ways for a connection string to include code that is then executed by the process running the embedded database. Because Metabase allows users to connect to databases, this means that a user supplied string can be used to inject executable code. Metabase allows users to validate their connection string before adding a database (including on setup), and this validation API was the primary vector used as it can be called without validation. Versions 0.43.7.3, 0.44.7.3, 0.45.4.3, 0.46.6.4, 1.43.7.3, 1.44.7.3, 1.45.4.3, and 1.46.6.4 fix this issue by removing the ability of users to add H2 databases entirely. As a workaround, it is possible to block these vulnerabilities at the network level by blocking the endpoints `POST /api/database`, `PUT /api/database/:id`, and `POST /api/setup/validateuntil`. Those who use H2 as a file-based database should migrate to SQLite.
EPSS Score:
3%
Comprehensive Technical Analysis of EUVD-2023-41366
1. Vulnerability Assessment and Severity Evaluation
The vulnerability described in EUVD-2023-41366 affects Metabase, an open-source business intelligence and analytics platform. The core issue lies in the embedded in-memory database H2, which exposes ways for a connection string to include executable code. This vulnerability allows for remote code execution (RCE) on the Metabase server.
Severity Evaluation:
- CVSS Base Score: 10.0
- CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
The CVSS score of 10.0 indicates a critical vulnerability. The vector string highlights that the attack can be executed remotely (AV:N), requires low complexity (AC:L), does not need any privileges (PR:N) or user interaction (UI:N), and has a high impact on confidentiality, integrity, and availability (C:H/I:H/A:H).
2. Potential Attack Vectors and Exploitation Methods
Attack Vectors:
- Connection String Injection: An attacker can inject malicious code into the connection string used to connect to the H2 database.
- Validation API Exploitation: The validation API (
POST /api/setup/validateuntil) can be called without proper validation, allowing an attacker to inject and execute code.
Exploitation Methods:
- Remote Code Execution (RCE): By crafting a malicious connection string, an attacker can execute arbitrary code on the Metabase server.
- Network-Level Attacks: Exploiting the vulnerability through network endpoints such as
POST /api/database,PUT /api/database/:id, andPOST /api/setup/validateuntil.
3. Affected Systems and Software Versions
The vulnerability affects the following versions of Metabase:
- 0.43.7.3 and earlier
- 0.44.7.3 and earlier
- 0.45.4.3 and earlier
- 0.46.6.4 and earlier
- 1.43.7.3 and earlier
- 1.44.7.3 and earlier
- 1.45.4.3 and earlier
- 1.46.6.4 and earlier
4. Recommended Mitigation Strategies
Immediate Mitigation:
- Upgrade Metabase: Upgrade to versions 0.43.7.3, 0.44.7.3, 0.45.4.3, 0.46.6.4, 1.43.7.3, 1.44.7.3, 1.45.4.3, or 1.46.6.4, which have removed the ability to add H2 databases.
- Network-Level Blocking: Block the endpoints
POST /api/database,PUT /api/database/:id, andPOST /api/setup/validateuntilto prevent exploitation. - Migration: For users relying on H2 as a file-based database, migrate to SQLite.
Long-Term Mitigation:
- Regular Patching: Ensure that Metabase and all related software are regularly updated to the latest versions.
- Input Validation: Implement robust input validation mechanisms to prevent injection attacks.
- Security Audits: Conduct regular security audits and vulnerability assessments.
5. Impact on European Cybersecurity Landscape
The vulnerability poses a significant risk to organizations using Metabase within the European Union. Given the critical nature of the vulnerability (CVSS score of 10.0), it could lead to severe data breaches, unauthorized access, and potential disruption of services. The widespread use of Metabase in various industries, including finance, healthcare, and government, amplifies the potential impact.
6. Technical Details for Security Professionals
Vulnerability Details:
- Root Cause: The H2 database's ability to execute code from connection strings.
- Exploitation: Injection of malicious code through the connection string validation API.
- Affected Endpoints:
POST /api/database,PUT /api/database/:id,POST /api/setup/validateuntil.
Detection and Monitoring:
- Log Analysis: Monitor logs for unusual activities related to the affected endpoints.
- Intrusion Detection Systems (IDS): Implement IDS rules to detect and alert on suspicious activities.
- Network Traffic Analysis: Use network traffic analysis tools to identify and block malicious requests.
Incident Response:
- Containment: Immediately block the affected endpoints and isolate the compromised Metabase server.
- Eradication: Remove any malicious code and ensure the system is clean.
- Recovery: Restore services using patched versions of Metabase and ensure all systems are updated.
References:
- GitHub Advisory: GHSA-p7w3-9m58-rq83
- CVE ID: CVE-2023-37470
- GSD ID: GSD-2023-37470
By following these mitigation strategies and maintaining a proactive security posture, organizations can significantly reduce the risk associated with this vulnerability.