CVE-2023-51982
📋 TL;DR
CVE-2023-51982 is an authentication bypass vulnerability in CrateDB's Admin UI component. Attackers can bypass password authentication by setting the X-Real-IP header to a specific value and accessing the Admin UI with default credentials. This affects CrateDB administrators who have configured password authentication with local address restrictions.
💻 Affected Systems
- CrateDB
📦 What is this software?
Cratedb by Cratedb
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of CrateDB instance allowing unauthorized access to all data, configuration changes, and potential lateral movement to connected systems.
Likely Case
Unauthorized access to sensitive database data, potential data exfiltration, and administrative control over the database instance.
If Mitigated
Limited impact if proper network segmentation and additional authentication layers are in place, though authentication bypass remains possible.
🎯 Exploit Status
Exploitation requires setting X-Real-IP header to bypass local address restriction and using default credentials. No authentication required.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.5.2 or later
Vendor Advisory: https://github.com/crate/crate/issues/15231
Restart Required: Yes
Instructions:
1. Backup CrateDB configuration and data. 2. Download CrateDB 5.5.2 or later from official sources. 3. Stop CrateDB service. 4. Install/upgrade to patched version. 5. Restart CrateDB service. 6. Verify authentication works correctly.
🔧 Temporary Workarounds
Disable Admin UI Access
allTemporarily disable Admin UI access until patching is complete
# In crate.yml configuration file:
admin_ui.enabled: false
Network Restriction
linuxRestrict network access to Admin UI using firewall rules
# Example iptables rule:
iptables -A INPUT -p tcp --dport 4200 -s trusted_ip -j ACCEPT
iptables -A INPUT -p tcp --dport 4200 -j DROP
🧯 If You Can't Patch
- Implement strict network access controls to limit Admin UI access to trusted IP addresses only
- Enable additional authentication mechanisms or use reverse proxy with proper authentication
🔍 How to Verify
Check if Vulnerable:
Test if Admin UI authentication can be bypassed by setting X-Real-IP header to local address and accessing with default credentialsCheck Version:
curl -X GET 'http://localhost:4200/_sql?pretty' -H 'Content-Type: application/json' -d '{"stmt": "SELECT version['number'] FROM sys.nodes"}'Verify Fix Applied:
After patching, attempt the same bypass technique - it should fail and require proper authentication📡 Detection & Monitoring
Log Indicators:
- Failed authentication attempts followed by successful Admin UI access
- Admin UI access from unexpected IP addresses
- Requests with X-Real-IP header manipulation
Network Indicators:
- HTTP requests to Admin UI port (default 4200) with X-Real-IP header
- Unauthorized Admin UI access patterns
SIEM Query:
source="cratedb.log" AND ("Admin UI" OR "4200") AND ("X-Real-IP" OR "authentication bypass")