CVE-2020-13151
📋 TL;DR
CVE-2020-13151 allows unauthenticated remote attackers to execute arbitrary operating system commands on Aerospike database servers by submitting malicious Lua user-defined functions (UDFs). This affects Aerospike Community Edition installations with default configurations that are exposed to network access. Attackers can compromise all nodes in the cluster with the permissions of the Aerospike service account.
💻 Affected Systems
- Aerospike Community Edition
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete cluster compromise leading to data theft, service disruption, and lateral movement to other systems in the environment.
Likely Case
Remote code execution leading to data exfiltration, cryptocurrency mining, or ransomware deployment on database servers.
If Mitigated
Limited impact if proper network segmentation and access controls prevent external access to Aerospike ports.
🎯 Exploit Status
Multiple public proof-of-concept exploits exist that demonstrate complete RCE. The vulnerability is trivial to exploit with basic Lua knowledge.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.1.0.3 and later
Vendor Advisory: https://www.aerospike.com/download/server/notes.html#5.1.0.3
Restart Required: Yes
Instructions:
1. Download Aerospike Server version 5.1.0.3 or later from official site. 2. Stop Aerospike service. 3. Backup configuration and data. 4. Install new version. 5. Restart Aerospike service. 6. Verify functionality.
🔧 Temporary Workarounds
Enable Authentication
allConfigure Aerospike to require authentication for all connections
# Edit aerospike.conf
# Add: service { enable-security true }
# Create users with appropriate roles
Network Access Control
linuxRestrict network access to Aerospike ports (default 3000, 3001, 3002, 3003)
# Example iptables rule
iptables -A INPUT -p tcp --dport 3000:3003 -s trusted_ip_range -j ACCEPT
iptables -A INPUT -p tcp --dport 3000:3003 -j DROP
🧯 If You Can't Patch
- Implement strict network segmentation - only allow trusted applications to connect to Aerospike ports
- Enable and enforce authentication with strong credentials and minimal necessary permissions
🔍 How to Verify
Check if Vulnerable:
Check Aerospike version: if version is 4.9.0.5 or earlier, system is vulnerable. Test by attempting to register a Lua UDF without authentication.Check Version:
asinfo -v "build"Verify Fix Applied:
Verify Aerospike version is 5.1.0.3 or later. Attempt to register a Lua UDF without authentication should fail.📡 Detection & Monitoring
Log Indicators:
- Unexpected UDF registration attempts
- Failed authentication attempts from unknown sources
- Unusual process execution from Aerospike service account
Network Indicators:
- Unusual outbound connections from Aerospike servers
- Traffic to Aerospike ports from unauthorized sources
- Large data transfers from database servers
SIEM Query:
source="aerospike.log" AND ("register" OR "UDF" OR "lua") AND NOT user="authenticated_user"🔗 References
- http://packetstormsecurity.com/files/160106/Aerospike-Database-5.1.0.3-Remote-Command-Execution.html
- http://packetstormsecurity.com/files/160451/Aerospike-Database-UDF-Lua-Code-Execution.html
- https://b4ny4n.github.io/network-pentest/2020/08/01/cve-2020-13151-poc-aerospike.html
- https://www.aerospike.com/docs/operations/configure/security/access-control/index.html#create-users-and-assign-roles
- https://www.aerospike.com/download/server/notes.html#5.1.0.3
- https://www.aerospike.com/enterprise/download/server/notes.html#5.1.0.3
- http://packetstormsecurity.com/files/160106/Aerospike-Database-5.1.0.3-Remote-Command-Execution.html
- http://packetstormsecurity.com/files/160451/Aerospike-Database-UDF-Lua-Code-Execution.html
- https://b4ny4n.github.io/network-pentest/2020/08/01/cve-2020-13151-poc-aerospike.html
- https://www.aerospike.com/docs/operations/configure/security/access-control/index.html#create-users-and-assign-roles
- https://www.aerospike.com/download/server/notes.html#5.1.0.3
- https://www.aerospike.com/enterprise/download/server/notes.html#5.1.0.3
