CVE-2019-10084 in Impala
Summary
by MITRE
In Apache Impala 2.7.0 to 3.2.0, an authenticated user with access to the IDs of active Impala queries or sessions can interact with those sessions or queries via a specially-constructed request and thereby potentially bypass authorization and audit mechanisms. Session and query IDs are unique and random, but have not been documented or consistently treated as sensitive secrets. Therefore they may be exposed in logs or interfaces. They were also not generated with a cryptographically secure random number generator, so are vulnerable to random number generator attacks that predict future IDs based on past IDs. Impala deployments with Apache Sentry or Apache Ranger authorization enabled may be vulnerable to privilege escalation if an authenticated attacker is able to hijack a session or query from another authenticated user with privileges not assigned to the attacker. Impala deployments with audit logging enabled may be vulnerable to incorrect audit logging as a user could undertake actions that were logged under the name of a different authenticated user. Constructing an attack requires a high degree of technical sophistication and access to the Impala system as an authenticated user.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 11/06/2019
Apache Impala versions 2.7.0 through 3.2.0 contain a critical authorization bypass vulnerability that stems from improper handling of session and query identifiers. This vulnerability falls under the CWE-284 access control weakness category, specifically addressing improper access control mechanisms. The flaw exists because Impala treats session and query IDs as non-sensitive identifiers despite their cryptographic properties being insufficient for security purposes. These identifiers, while unique and randomly generated, lack the cryptographic strength required to prevent prediction attacks, making them susceptible to random number generator exploitation techniques that can forecast future identifiers based on observed patterns. The vulnerability represents a fundamental flaw in the principle of least privilege, where authenticated users can potentially escalate their privileges by hijacking active sessions belonging to other authenticated users with higher privileges.
The technical implementation of this vulnerability exploits the predictable nature of Impala's identifier generation mechanism, which fails to utilize cryptographically secure random number generators as mandated by security standards. When Impala deployments incorporate Apache Sentry or Apache Ranger authorization frameworks, the impact becomes significantly more severe as attackers can leverage this weakness to perform unauthorized operations under the guise of legitimate users. The session and query IDs serve as the primary means of tracking and authenticating user activities within the system, and when these identifiers are predictable, attackers can construct malicious requests that target specific sessions or queries. This creates a scenario where unauthorized access can occur without proper authentication, effectively bypassing the intended authorization controls that should prevent one user from accessing another user's sessions.
The operational impact of this vulnerability extends beyond simple privilege escalation to include complete audit logging manipulation. When audit logging is enabled, the system's ability to accurately track user activities becomes compromised as actions performed by one user can be incorrectly attributed to another user. This undermines the integrity of security monitoring systems and makes it extremely difficult to perform forensic analysis or detect malicious activities. The vulnerability requires an authenticated attacker with access to valid session or query identifiers, but the attack vector becomes significantly more dangerous when considering that these identifiers may be exposed through various means such as system logs, user interfaces, or through information disclosure vulnerabilities within the application itself. The attack complexity is elevated by the need for technical sophistication to properly construct requests that can successfully hijack sessions, yet the potential damage remains severe due to the fundamental nature of the authorization bypass.
Mitigation strategies for this vulnerability should focus on implementing cryptographically secure random number generation for session and query identifier creation, ensuring that these identifiers meet minimum security requirements as defined in industry standards such as NIST SP 800-90A. Organizations should also implement proper identifier obfuscation techniques to prevent exposure in logs and user interfaces, while ensuring that access controls are properly enforced even when identifiers are compromised. The implementation of additional authentication layers and session monitoring mechanisms can help detect unauthorized session access attempts. Regular security audits should verify that identifiers are properly treated as sensitive secrets and that the random number generation algorithms used meet current cryptographic standards. System administrators should also consider implementing network-level monitoring to detect suspicious patterns of identifier access and ensure that audit logging systems can properly distinguish between legitimate and potentially hijacked user activities. This vulnerability demonstrates the critical importance of treating all identifiers as potential attack vectors and implementing proper entropy requirements for security-critical components within database systems.