Security researchers have discovered 8 serious cross-site scripting (XSS) flaws in Azure HDInsight, a large knowledge processing service powered by open source technologies like Apache Hadoop, Spark, Hive, and Kafka running on Azure. The flaws may have allowed attackers to inject and execute malicious scripts into visitors’ browsers.
“All XSS vulnerabilities presented significant security dangers to knowledge integrity and user privacy in vulnerable ApacheArray, adding query hijacking and provision of malicious payloads, putting any Apache user at risk, adding Apache Hadoop, Spark, and Oozie,” Orca Security researchers said in their report. .
The flaws were privately reported to Microsoft and were patched last month. However, the presence of 8 basic internet flaws in a service controlled through one of the largest tech corporations underscores the need for organizations to be proactive in their defenses and not take third-party security for granted.
XSS is one of the most common and well-known types of Internet vulnerabilities. This is the result of poor verification of user input (under some sort of internet form) that allows input to involve JavaScript that would be sent back to the visitor’s browser. . Malicious JavaScript code that runs in a browser in the context of an Internet site is very harmful because it has access to the user’s authenticated query. Such attacks may cause the user’s browser to make movements on the site that the user had not foreseen (piggyback query), or borrow the query cookie or the tokens themselves.
There are two types of XSS vulnerabilities: mirrored and stored. Reflected XSS vulnerabilities are exploited by adding the JavaScript malicious payload as a parameter to a vulnerable URL. A victim will want to click on the specially crafted URL sent through the attacker to cause the XSS vulnerability. payload to run in your browser. If they move to the target website, they won’t get the payload. In other words, a considered XSS operation requires user interaction.
Stored XSS issues are more damaging because the attacker only wants to exploit a vulnerable box once to permanently inject the malicious code into the web page. This code would be activated every time other users visited the page later, without requiring any additional interaction, such as clicking on a specially crafted URL.
Six of the XSS vulnerabilities discovered through Orca in Azure HDInsight were stored and the other two were mirrored. They were tracked as CVE-2023-36881 (4 vulnerabilities), CVE-2023-35394, CVE-2023-38188, CVE-2023-35393, and CVE-2023-36877 and were flagged as important by Microsoft. The 4 vulnerabilities CVE-2023-36881 are all found elsewhere in Apache Ambari, a web-based dashboard for managing Apache Hadoop clusters.
“Our first encounter with XSS on Azure HDInsight was simple,” the researchers said. “We found that Apache Ambari background operations had several settings that, by default, could be changed. After identifying this number one stored XSS vulnerability, we expanded our investigation. Using techniques, we learned about seven other similar vulnerabilities.
Research is not difficult. The researchers used Burp Suite’s Intruder fuzz testing tool, a penetration testing tool for internet programs that can deliver XSS payloads. The Internet panel had XSS filtering for user input, but this was insufficient. “By thoroughly examining HTTP responses and analyzing the Document Object Model (DOM), we were able to identify where the application was inappropriately filtering or cleaning user-provided input,” the researchers said.
After the first known flaw in Ambari background operations, more XSS issues were discovered stored in the Controlled Notifications, YARN Queue Manager, and YARN Settings components. These 4 vulnerabilities have been grouped under the identifier CVE-2023-36881. Another stored XSS factor discovered in the Azure HDInsight Jupyter Notebook service, particularly in its Box compiler. The vulnerability can lead to remote code execution due to the service’s WebSocket communication capability. An attacker can simply upload a malicious JavaScript record to a remote server that establishes a WebSocket communication channel and sends an opposing shell as a code payload to the service.
The sixth stored XSS factor is located in the Azure HDInsight Apache Oozie Internet console and can be leveraged through traditional filters. Apache Oozie is a workflow planning formula for Hadoop jobs. The two XSS problems reflected were known in Hadoop itself and in Apache Hive and can be exploited through endpoint manipulation.
Although Microsoft has patched Azure HDInsight vulnerabilities in its service, they remind organizations to implement XSS defenses in their own Internet applications. Orca’s recommendations include: