Horizon Alert
Summary of the vulnerability and why it matters
This vulnerability affects Kestra, an open-source orchestration platform, allowing unauthenticated attackers to bypass security controls and execute arbitrary code as root. The issue stems from an improperly configured authentication filter that incorrectly validates API paths. This could lead to the compromise of the Kestra worker container.
- Unauthenticated access bypasses security for workflow execution.
- Critical for systems managing automated processes.
- Confirm relevance and assess exposure.
Attack Path
How an attacker could exploit the issue
An unauthenticated attacker can exploit a flaw in how Kestra handles authentication for configuration endpoints. By crafting a request to an API path that ends with "/configs," an attacker can bypass authentication entirely. This allows them to create and execute arbitrary workflows, which, due to the default inclusion of script execution plugins, can lead to unauthenticated remote code execution with root privileges within the Kestra worker container.
- No authentication required.
- Accessing a path ending in "/configs."
- Unauthenticated remote code execution.
Live Threat
Current exploitation, exposure, and threat context
An unauthenticated remote attacker could exploit a flaw in Kestra's authentication filter to bypass credential checks and create or execute arbitrary workflows. This could lead to unauthenticated Remote Code Execution as root within the Kestra worker container, especially when script execution plugins are enabled by default.
- Arbitrary workflow execution and RCE.
- Bypassing authentication via specific path suffix.
- Unauthenticated root code execution.
Operational Fix
Recommended remediation, mitigation, and detection steps
The Kestra platform's authentication bypass vulnerability requires immediate attention from teams responsible for the orchestration platform and its security posture. The first step is to identify all Kestra instances, determine their network exposure and business criticality, and then locate the specific team or individual accountable for the platform. Remediation planning should be prioritized based on this risk assessment.
- Orchestration platform owners should address this.
- Verify unauthenticated API endpoint access.
- Plan remediation based on risk.