External risk intelligence

Zepl Notebooks Sandbox Escape Vulnerability

CVE advisorySeverity: CRITICAL (CVSS 9.9)

CVE-2021-42952

Zepl Notebooks are data analytics platforms often deployed within internal enterprise networks or VPCs to access sensitive data. While they may have web interfaces, they are not typically exposed directly to the public internet by design, making internet-facing deployment a possibility rather than a standard or inherent requirement.

Remote Code Execution

Zepl

before 2021-10-25

Halo Surface Signal: 3 out of 5 — possibly public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

This advisory concerns a vulnerability in Zepl Notebooks that allows authenticated users to escape the sandbox environment. This escape enables access to internal Zepl assets and cloud metadata services, potentially leading to unauthorized data exposure and system compromise.

  • Unauthorized code execution from notebooks.
  • High impact access to internal cloud data.
  • Confirm relevance and assess potential exposure.

Attack Path

How an attacker could exploit the issue

An attacker with authenticated access to Zepl Notebooks can initiate Remote Code Execution (RCE) from within a notebook. This RCE capability allows the attacker to break out of the notebook's sandbox environment, granting them access to internal Zepl assets and cloud metadata services.

  • Authenticated access to Zepl Notebooks.
  • Triggering Remote Code Execution within a notebook.
  • Escape sandbox to access internal assets.

Live Threat

Current exploitation, exposure, and threat context

A sandbox escape vulnerability in Zepl Notebooks could allow an authenticated user to access internal Zepl assets, including cloud metadata services. This occurs when remote code execution is initiated from the notebook, enabling the user to break out of the running context's sandbox.

  • Internal Zepl assets and cloud metadata.
  • Escaping the notebook's sandbox context.
  • Unauthorized access to sensitive information.

Operational Fix

Recommended remediation, mitigation, and detection steps

Application owners and platform teams are likely responsible for addressing this vulnerability in Zepl Notebooks, as it allows for code execution and access to internal assets. The first practical step is to identify all instances of Zepl Notebooks within your environment, determine their reachability and business criticality, and then identify the accountable owner for remediation planning.

  • Identify Zepl Notebook instance owners.
  • Verify internal reachability and criticality.
  • Plan remediation based on risk.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is Zepl?

Zepl is a data analytics platform designed for collaborative data science and exploration. Organizations use Zepl Notebooks to run interactive code, visualize datasets, and perform complex analytics directly against their cloud-based data environments.

What does CVE-2021-42952 mean for security?

This vulnerability is a sandbox escape. It means that the security boundary designed to keep notebook code isolated from the underlying host system has failed. Because the sandbox is breached, code that should be restricted to a limited environment can instead interact with sensitive internal components and cloud resources it should not be able to reach.

How is the sandbox escape triggered?

The escape is triggered when an attacker with existing authenticated access initiates remote code execution from within a notebook. This vulnerability does not trigger through simple web browsing or passive interaction; it specifically requires the execution of arbitrary code inside the notebook environment to break out of the host's restricted container.

Is my Zepl instance at risk?

Halo Surface Signal indicates that while Zepl is often kept within internal networks or VPCs to protect sensitive data, internet-facing deployments are possible. You should assess whether your specific instance is reachable from the public internet or if it is restricted to internal users, as higher accessibility increases the potential for unauthorized access.

What steps should I take if I use Zepl?

First, locate all Zepl Notebook instances in your environment to understand your footprint. Identify the teams responsible for these instances to ensure accountability. Once owners are confirmed, review the software version to ensure it is updated beyond the affected release, and evaluate the network placement to restrict access where possible.

References