{"id":3143,"date":"2024-04-17T14:14:55","date_gmt":"2024-04-17T19:14:55","guid":{"rendered":"https:\/\/www.darkreading.com\/cloud-security\/active-kubernetes-rce-attack-relies-on-known-openmetadata-vulns"},"modified":"2024-04-17T14:14:55","modified_gmt":"2024-04-17T19:14:55","slug":"active-kubernetes-rce-attack-relies-on-known-openmetadata-vulns","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2024\/04\/17\/active-kubernetes-rce-attack-relies-on-known-openmetadata-vulns\/","title":{"rendered":"Active Kubernetes RCE Attack Relies on Known OpenMetadata Vulns"},"content":{"rendered":"<div class=\"media_block\"><a href=\"https:\/\/i0.wp.com\/eu-images.contentstack.com\/v3\/assets\/blt6d90778a997de1cd\/bltada1952e2a0a9192\/662012aff8d53d8ff8f7fa87\/cloud_container_Sergey_Novikov_Alamy.jpg?ssl=1\"><img data-recalc-dims=\"1\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/04\/active-kubernetes-rce-attack-relies-on-known-openmetadata-vulns.jpg?w=640&#038;ssl=1\" class=\"media_thumbnail\"><\/a><\/div>\n<div><img data-recalc-dims=\"1\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/04\/active-kubernetes-rce-attack-relies-on-known-openmetadata-vulns.jpg?w=640&#038;ssl=1\" class=\"ff-og-image-inserted\"><\/div>\n<p class=\"ContentParagraph ContentParagraph_align_left\" data-testid=\"content-paragraph\"><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\">Known vulnerabilities in OpenMetadata&#8217;s open source metadata repository have been under active exploit since the beginning of April, allowing threat actors to launch remote code execution cyberattacks against unpatched Kubernetes clusters, according to research from Microsoft Threat Intelligence.<\/span><\/p>\n<p class=\"ContentParagraph ContentParagraph_align_left\" data-testid=\"content-paragraph\"><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\">OpenMetadata is an <\/span><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\"><a class=\"ContentText-BodyTextChunk ContentText-BodyTextChunk_link\" target=\"_blank\" href=\"https:\/\/open-metadata.org\/\" rel=\"noopener\">open source platform<\/a><\/span><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\"> that operates as a management tool as well as a central repository for metadata. In mid-March, researchers published information on five new vulnerabilities (CVE-2024-28255,&nbsp;CVE-2024-28847,&nbsp;CVE-2024-28253,&nbsp;CVE-2024-28848,&nbsp;CVE-2024-28254) that affected versions preceding v1.3.1, according to <\/span><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\"><a class=\"ContentText-BodyTextChunk ContentText-BodyTextChunk_link\" target=\"_blank\" href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2024\/04\/17\/attackers-exploiting-new-critical-openmetadata-vulnerabilities-on-kubernetes-clusters\/\" rel=\"noopener\">Microsoft&#8217;s report<\/a><\/span><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\">.<\/span><\/p>\n<p class=\"ContentParagraph ContentParagraph_align_left\" data-testid=\"content-paragraph\"><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\">And while many cybersecurity teams might have missed the advisory, adversaries picked up on the opportunity to break into <\/span><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\"><a class=\"ContentText-BodyTextChunk ContentText-BodyTextChunk_link\" target=\"_blank\" href=\"https:\/\/www.darkreading.com\/cloud-security\/patch-now-kubernetes-flaw-allows-for-full-takeover-of-windows-nodes\" rel=\"noopener\">vulnerable Kubernetes environments<\/a><\/span><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\"> and leverage them for cryptocurrency mining, the vendor said.<\/span><\/p>\n<p class=\"ContentParagraph ContentParagraph_align_left\" data-testid=\"content-paragraph\"><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\">&#8220;In this case, a vulnerable Kubernetes workload which is exposed to the Internet got exploited,&#8221; Microsoft researcher Yossi Weizman explains. While the cybercriminals were engaged in crypto mining, he warns there&#8217;s a wide range of nefarious activity an adversary can engage in once they&#8217;re inside a Kubernetes cluster.<\/span><\/p>\n<p class=\"ContentParagraph ContentParagraph_align_left\" data-testid=\"content-paragraph\"><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\">&#8220;In general (not specifically in this case), once attackers have control over a workload in the cluster, they can try to leverage this access also for lateral movement, both inside the cluster and also to external resources,&#8221; Weizman adds.<\/span><\/p>\n<p class=\"ContentParagraph ContentParagraph_align_left\" data-testid=\"content-paragraph\"><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\">OpenMetadata administrators are advised to update, use strong authentication, and reset any default credentials in use.<\/span><\/p>\n<p><a href=\"https:\/\/www.darkreading.com\/cloud-security\/active-kubernetes-rce-attack-relies-on-known-openmetadata-vulns\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Known vulnerabilities in OpenMetadata&#8217;s open source metadata repository have been<\/p>\n","protected":false},"author":12,"featured_media":3144,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[1],"tags":[809],"class_list":["post-3143","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized","tag-dark-reading"],"featured_image_urls":{"full":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/04\/active-kubernetes-rce-attack-relies-on-known-openmetadata-vulns.jpg?fit=8688%2C5792&ssl=1",8688,5792,false],"thumbnail":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/04\/active-kubernetes-rce-attack-relies-on-known-openmetadata-vulns.jpg?resize=150%2C150&ssl=1",150,150,true],"medium":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/04\/active-kubernetes-rce-attack-relies-on-known-openmetadata-vulns.jpg?fit=300%2C200&ssl=1",300,200,true],"medium_large":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/04\/active-kubernetes-rce-attack-relies-on-known-openmetadata-vulns.jpg?fit=640%2C427&ssl=1",640,427,true],"large":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/04\/active-kubernetes-rce-attack-relies-on-known-openmetadata-vulns.jpg?fit=640%2C427&ssl=1",640,427,true],"1536x1536":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/04\/active-kubernetes-rce-attack-relies-on-known-openmetadata-vulns.jpg?fit=1536%2C1024&ssl=1",1536,1024,true],"2048x2048":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/04\/active-kubernetes-rce-attack-relies-on-known-openmetadata-vulns.jpg?fit=2048%2C1365&ssl=1",2048,1365,true],"chromenews-featured":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/04\/active-kubernetes-rce-attack-relies-on-known-openmetadata-vulns.jpg?fit=1024%2C683&ssl=1",1024,683,true],"chromenews-large":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/04\/active-kubernetes-rce-attack-relies-on-known-openmetadata-vulns.jpg?resize=825%2C575&ssl=1",825,575,true],"chromenews-medium":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/04\/active-kubernetes-rce-attack-relies-on-known-openmetadata-vulns.jpg?resize=590%2C410&ssl=1",590,410,true]},"author_info":{"display_name":"Dark Reading","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/darkreading\/"},"category_info":"<a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/uncategorized\/\" rel=\"category tag\">Uncategorized<\/a>","tag_info":"Uncategorized","comment_count":"0","jetpack_featured_media_url":"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/04\/active-kubernetes-rce-attack-relies-on-known-openmetadata-vulns.jpg?fit=8688%2C5792&ssl=1","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/3143","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/12"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=3143"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/3143\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media\/3144"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=3143"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=3143"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=3143"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}