This report was fully disclosed on 11 February 2020

Summary

An IP address appearing to be managed by Orchard (formally Perch) and running “Apache Airflow” is accessible to remote unauthenticated users causing sensitive information disclosure and potentially allowing for denial of service and service interruption.

About Orchard: “Orchard launched in 2017 and was previously known as Perch. The company is headquartered in New York City, has 100+ employees and has grown 10x year over year. We have raised over $300 million in financing from top tier investors including: Firstmark, Accomplice, Navitas, and Juxtapose.”

Proof of Concept

The IP address in question is 18.222.116.81:8080. Simply opening the affected target in a web browser reveals sensitive information. Additionally no authentication is required to make modifications within Apache Airflow.

Viewing the affected target reveals several pieces of sensitive data, including but not limited to the following Google Cloud service account keys.

Screenshot of http://18.222.116.81:8080/admin/connection/edit/?id=35&url=%2Fadmin%2Fconnection%2F

Additionally two other Google Cloud service account keys are exposed at the following URLS.

  • http://18.222.116.81:8080/admin/connection/edit/?id=35&url=%2Fadmin%2Fconnection%2F
  • http://18.222.116.81:8080/admin/connection/edit/?id=36&url=%2Fadmin%2Fconnection%2F

It is also important to note that in addition to sensitive information disclosure it is also possible to make modifications and perform actions as an administrative user on the Apache Airflow instance. This could lead to remote code execution, denial of service, or additional sensitive information exposure.

Remediation Status

At the time of publishing this report the initial issue has been resolved. Using an automated resource uptime monitor it was noted that the identified target became unresponsive at 2020-02-11 13:35 UTC, approximately 12 hours and 5 minutes after the initial disclosure email.

Response From Affected Party

At the time of publishing this report, no response has been received from Orchard.

Timeline

  • 11 February 2020: Affected Party Notified
  • 11 February 2020: Affected Party Released Patch (+0 days)
  • 11 February 2020: Report Published (+0 days)