CVE-2024-36543
Missing Authentication for Critical Function (CWE-306)
Summary
Incorrect access control in the Kafka Connect REST API in the STRIMZI Project 0.41.0 and earlier allows an attacker to deny the service for Kafka Mirroring, potentially mirror the topics' content to his Kafka cluster via a malicious connector (bypassing Kafka ACL if it exists), and potentially steal Kafka SASL credentials, by querying the MirrorMaker Kafka REST API.
Impact
This vulnerability has a high severity with a CVSS v3.1 base score of 9.8. The potential impacts are significant: 1. Denial of Service: An attacker can disrupt Kafka Mirroring services, potentially causing system downtime or data synchronization issues. 2. Data Exfiltration: There's a risk of unauthorized mirroring of topic content to an attacker-controlled Kafka cluster. This could lead to sensitive data exposure, even bypassing existing Kafka ACL configurations. 3. Credential Theft: The vulnerability may allow theft of Kafka SASL credentials, potentially leading to further unauthorized access and system compromise. 4. Integrity and Confidentiality Breaches: With high impact on integrity, availability, and confidentiality, this vulnerability could lead to unauthorized data modification, system unavailability, and exposure of sensitive information. The vulnerability requires no user interaction and can be exploited remotely with low attack complexity, making it a critical risk for affected systems.
Exploitation
There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.
Patch
A patch is available. Users should upgrade to STRIMZI Project version 0.42.0 or later to address this vulnerability.
Mitigation
1. Immediate Patching: Given the high severity (CVSS score 9.8), prioritize upgrading to STRIMZI Project version 0.42.0 or later as soon as possible. 2. Access Restriction: If immediate patching is not feasible, restrict access to the Kafka Connect REST API. Allow access only from trusted networks and authenticated users. 3. Network Segmentation: Implement strict network segmentation to isolate Kafka clusters and limit potential attack vectors. 4. Monitoring: Enhance monitoring of Kafka Connect REST API activities to detect any suspicious queries or unauthorized access attempts. 5. Audit ACLs: Review and strengthen Kafka ACL configurations to minimize potential damage if the vulnerability is exploited. 6. Credential Review: Rotate any potentially exposed SASL credentials and implement more robust authentication mechanisms if possible. 7. Incident Response Preparation: Given the high impact, ensure incident response plans are updated to address potential exploitation scenarios of this vulnerability.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Timeline
NVD published the first details for CVE-2024-36543
Feedly found the first article mentioning CVE-2024-36543. See article
Feedly estimated the CVSS score as HIGH
EPSS Score was set to: 0.04% (Percentile: 9%)
A CVSS base score of 7.3 has been assigned.
A CVSS base score of 9.8 has been assigned.