CVE-2023-44981
📋 TL;DR
This CVE describes an authorization bypass vulnerability in Apache ZooKeeper when SASL Quorum Peer authentication is enabled. An attacker can join the cluster without proper authentication by omitting the instance part in their SASL authentication ID, allowing them to propagate malicious changes to the leader and gain full read-write access to the data tree. Only ZooKeeper deployments with quorum.auth.enableSasl=true are affected.
💻 Affected Systems
- Apache ZooKeeper
📦 What is this software?
Zookeeper by Apache
Zookeeper by Apache
Zookeeper by Apache
⚠️ Risk & Real-World Impact
Worst Case
Complete cluster compromise where an attacker gains full read-write access to the ZooKeeper data tree, allowing data manipulation, service disruption, and potential lateral movement to connected systems.
Likely Case
Unauthorized cluster node joins and propagates counterfeit configuration changes, leading to data corruption, service disruption, or privilege escalation within the ZooKeeper-managed ecosystem.
If Mitigated
Limited impact due to network segmentation and proper authentication controls preventing unauthorized cluster access.
🎯 Exploit Status
Exploitation requires network access to ZooKeeper quorum ports and knowledge of the cluster configuration. The vulnerability is straightforward to exploit once these conditions are met.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.9.1, 3.8.3, or 3.7.2
Vendor Advisory: https://lists.apache.org/thread/wf0yrk84dg1942z1o74kd8nycg6pgm5b
Restart Required: Yes
Instructions:
1. Download the patched version from Apache ZooKeeper website. 2. Stop ZooKeeper service. 3. Backup configuration and data. 4. Install the patched version. 5. Restart ZooKeeper service. 6. Verify cluster health and authentication.
🔧 Temporary Workarounds
Network Segmentation
linuxRestrict access to ZooKeeper quorum ports using firewall rules to only allow trusted cluster members.
# Example iptables rule: iptables -A INPUT -p tcp --dport 2888:3888 -s trusted_ip -j ACCEPT
# Example iptables rule: iptables -A INPUT -p tcp --dport 2888:3888 -j DROP
🧯 If You Can't Patch
- Disable SASL Quorum Peer authentication by setting quorum.auth.enableSasl=false if not required for your deployment.
- Implement strict network access controls to limit ZooKeeper quorum communication to only authorized hosts using firewall rules.
🔍 How to Verify
Check if Vulnerable:
Check if quorum.auth.enableSasl=true is set in zoo.cfg configuration file and ZooKeeper version is below 3.9.1, 3.8.3, or 3.7.2.Check Version:
./zkServer.sh version (Linux) or zkServer.cmd version (Windows)Verify Fix Applied:
Verify ZooKeeper version is 3.9.1, 3.8.3, or 3.7.2 or higher using version check command and confirm quorum authentication is functioning properly.📡 Detection & Monitoring
Log Indicators:
- Unexpected authentication attempts without instance part in SASL ID
- Unauthorized nodes attempting to join cluster
- Authentication failures or bypass events in ZooKeeper logs
Network Indicators:
- Unexpected connections to ZooKeeper quorum ports (2888, 3888)
- Network traffic from unauthorized IPs to cluster communication ports
SIEM Query:
source="zookeeper.log" AND ("auth" OR "authentication") AND ("bypass" OR "failed" OR "invalid")🔗 References
- http://www.openwall.com/lists/oss-security/2023/10/11/4
- https://lists.apache.org/thread/wf0yrk84dg1942z1o74kd8nycg6pgm5b
- https://lists.debian.org/debian-lts-announce/2023/10/msg00029.html
- https://security.netapp.com/advisory/ntap-20240621-0007/
- https://www.debian.org/security/2023/dsa-5544
- http://www.openwall.com/lists/oss-security/2023/10/11/4
- https://lists.apache.org/thread/wf0yrk84dg1942z1o74kd8nycg6pgm5b
- https://lists.debian.org/debian-lts-announce/2023/10/msg00029.html
- https://security.netapp.com/advisory/ntap-20240621-0007/
- https://www.debian.org/security/2023/dsa-5544
