Kafdrop Flaw Puts Data of 'Major Global Players' at RiskVulnerability in User Interface for Apache Kafka 'Exceptionally Widespread'
A security flaw in Kafdrop, an open-source user interface and management interface for distributed event-streaming platform Apache Kafka, has put data in an undisclosed number of companies at risk, according to a research paper.
The victim can be "anyone using Kafdrop with Apache Kafka," the research report from cybersecurity company Spectral says. The affected companies, it says, belong to a range of "major global players to smaller organizations in healthcare, insurance, media, and IoT."
Kafdrop, according to the report, is used by "major global financial institutions, insurance companies, and communications providers," and has been downloaded more than 20 million times. The open-source project is deployed by "more than 80% of all Fortune 100 companies," it says.
Spectral founder Dotan Nahum, the author of the research report, did not disclose the identity of the victims, but says that the flaw is "exceptionally widespread."
"Since Kafka serves as a central data hub, threat actors with assistance from a flawed Kafdrop can infiltrate and exfiltrate data, and manage the cluster as they see fit. They can connect as a Kafka subscriber to cause further havoc across the entire network," he says.
While the report does not specify whether the flaw has been exploited, Nahum tells Information Security Media Group that "in such a case, it [exploitation] is almost sure."
The Apache Software Foundation, which developed Apache Kafka, did not immediately respond to ISMG's request for additional information.
What's at Risk?
The vulnerability allows anyone access to view live Kafka clusters, including financial transactions and mission-critical data, without authentication, the report says.
"Not only does the Kafdrop security flaw expose secrets in real-time traffic, but it also provides authentication tokens and other access details that allow hackers to reach the companies’ cloud providers, such as AWS, IBM, Oracle, and others, on which Kafka clusters are often deployed," the researcher says.
Threat actors who exploit the vulnerability may have access to the "nervous system of an entire company, revealing customer data, transactions, medical records, internal system traffic, etc.," Nahum says.
The report says emails exchanged between organizations and their customers and employees, containing sensitive data, tokens, and private cookies carried as parameters within email URLs, were also exposed.
An undisclosed medical organization affected by the flaw had its handling requests, processing, and inventory of medication, as well as customer prescription transactions exposed, according to the research report. It says that the records can be "abused by hackers for impersonation, extortion, and other similar acts."
A different cluster exposed insurance claims, transactions, and interactions between agents and customers, the report says, adding that this data can be "used by attackers to impersonate, extort, or redirect funds elsewhere."
"By adding an insecure management UI on top of secure, mission-critical Kafka clusters, operators have exposed the secure clusters to the world. With the management UI, an attacker can delete Kafka topics and drop consumers, wreaking havoc in internal systems," the report says.
Since Kafka is also a central data hub, threat actors can gain additional access by injecting specially crafted messages, the report says.
"By understanding the topology of a cluster, a hacker can efficiently connect and impersonate a legitimate consumer, injecting or pulling data at will."
While the findings are significant, the exact severity will vary by organization, as it depends on the data exposed, says Jacob Ansari, CISO of Schellman, a global independent security and privacy compliance assessor.
Misconfiguration has always been a frequent source of security incidents, and "Kafdrop is no exception." – Yehuda Rosen
"If misconfigured Kafdrop UI nodes are exposing mission-critical data streams, those companies could have a serious issue with inadvertent data disclosures, particularly for regulated data like PHI or financial information," Ansari tells ISMG.
While it’s possible that there’s no way to determine whether any exposed data was misused, understanding the window of exposure plays an important part in determining the severity of the issue and the response to customers, authorities, regulators or other stakeholders, he says.
Yehuda Rosen, senior software engineer at application security provider nVisium, says service misconfiguration has always been a frequent source of security incidents, and "Kafdrop is no exception."
"There is nothing unique about this - only the name of the specific target in this case," he tells ISMG.
"As technology stacks evolve, any service that can potentially handle private or sensitive information is going to be a top target of any attacker," he says.
Trevor Morgan, product manager at data security and cloud native tokenization company comforte AG, agrees with Rosen.
"We see the same issue with things like cloud resources (S3 buckets) where a simple misconfiguration leads to massive amounts of leaked data," he says.
He tells ISMG this is because IT projects are done too quickly, without putting in the "time and effort to do research and due diligence to ensure proper deployments and acceptably safe configurations."
Spectral has notified Kafdrop maintainers about the flaw and offered a solution, Nahum tells ISMG.
The report says that the company has added an authentication code back into Kafdrop and that companies who haven’t yet added the authentication code can either take down their Kafdrop UIs or redeploy them behind an app server such as Nginx, "using an active and configured authentication module."
Prevention measures must include scanning code and configuration, infrastructure and data horizontally across the complete SDLC, the report says.
Rosen says that organizations that handle sensitive data must review their access policies, firewall rules and other details of their digital security posture, irrespective of the technology -database, message queue, storage, etc. - or cloud vendor - AWS, IBM, etc.
"Continuous auditing, IDS/IPS systems, and protecting web UIs - either via firewall rules or a VPN - will go a long way in keeping attackers away from private data. But, most importantly, implementing a culture of security mindfulness and awareness should be any company's top priority."
Cyber FAT - or Functional Acceptance Test - and Cyber SAT - or Site Acceptance Test - would be a useful process for companies to catch any issue like this, says Kenneth Frische, director of cybersecurity and risk services at cybersecurity firm 1898 & Co.
To eliminate this specific issue, he tells ISMG, companies must focus on removal of data from the public internet, segmentation of access and secure encrypted authentication
"Being informed is one thing - doing something about it is entirely another." – Trevor Morgan
Morgan expressed concern about whether enough businesses will be exposed to the information in this report and take the time to mitigate the situation if they are deploying Kafdrop.
"We hear a lot about misconfigured S3 buckets, for example, but data incidents and breaches still keep occurring in this way. Being informed is one thing - doing something about it is entirely another," he says.
The report's mention of protecting the messaging and traffic directly through data-centric methods stands out to Morgan.
"So many organizations rely still on outmoded methods of data protection that rely on securing borders and environments around sensitive data. A much better way to ensure data security is to apply protections directly to the data itself," he says.
"The main point is to remember that some sort of data-centric protection is necessary when dealing with sensitive data and information."