Critical Security Vulnerability Found in Metabase BI Software Urges Users to Update ASAP
Metabase, a widely-used business intelligence and data visualization software, has recently unveiled a critical security vulnerability that poses a significant user risk. The flaw has been classified as "extremely severe" and could lead to pre-authenticated remote code execution on affected systems. The vulnerability is tracked as CVE-2023-38646 and impacts open-source editions of Metabase before version 0.46.6.1 and Metabase Enterprise versions before 1.46.6.1. As a precautionary measure, all users must update to the latest version of Metabase to mitigate the potential risks associated with this security issue.
In a recent advisory, Metabase revealed a critical security flaw that allows an attacker to execute arbitrary commands on the Metabase server without authentication, gaining unauthorized access with the same privileges. Despite no evidence of active exploitation, alarming data from the Shadowserver Foundation indicates that 5,488 out of 6,936 Metabase instances are vulnerable as of July 26, 2023. The cases are prevalent in the United States, India, Germany, France, the United Kingdom, Brazil, and Australia. Users must urgently address this issue by updating to the latest versions to safeguard their systems from potential risks and unauthorized access to sensitive data.
Assetnote, a company that finds and reports software bugs, found the problem in Metabase and let them know about it. The issue is related to how the software connects to a database, and it affects a specific part of the software called "/API/setup/validates." Bad actors could exploit this weakness by using a specially designed request that tricks the software's database driver, called H2, into allowing unauthorized access. That could give them control over the system and the ability to execute commands remotely.
For users who cannot apply the patches immediately, taking additional protective measures is crucial. It is highly advisable to block any requests to the vulnerable "/API/setup" endpoint to safeguard the system. Moreover, you'd better isolate the affected Metabase instance from the leading production network to limit its exposure. By doing so, potential attackers will find it more challenging to access the vulnerable endpoint. Additionally, vigilant monitoring for suspicious requests to the identified endpoint is essential. That will help detect unauthorized attempts to exploit the vulnerability and take timely action to prevent potential attacks.