CVE-2023-47248 Scanner

PyArrow is a Python library developed by Apache to interact with the Arrow data format and perform high-performance analytics. It supports cross-language development and provides various features for columnar data manipulation, such as data serialization, I/O, and interoperability between different data systems. PyArrow is widely used in data engineering, data science, and machine learning to manage large datasets efficiently. It integrates well with other libraries like Pandas and Dask for further analytics processing. PyArrow is an open-source project and is maintained under the Apache Software Foundation. It is designed for high-performance applications requiring fast data access and manipulation.

This vulnerability allows remote attackers to execute arbitrary code on a system using PyArrow Flight RPC. The issue arises from insufficient validation of a Python-defined extension type, which can be exploited by sending a specially crafted request. When an attacker crafts this request, it can trigger an execution flow that leads to remote code execution. This can have severe consequences, as attackers can gain control over the targeted system. The vulnerability is present in PyArrow versions from v0.14.0 through v14.0.0, and it poses a critical risk due to the severity of remote code execution. The flaw is tied to improper handling of user-controlled data in the Flight RPC service.

The vulnerability is triggered when a malicious Python-defined extension type is passed through a crafted request to the Flight RPC service. Specifically, the issue arises during a POST request to the /arrow.flight.protocol.FlightService/DoPut endpoint, which is part of the Flight RPC protocol. The malicious input can manipulate how the system processes data, potentially leading to arbitrary code execution. This can occur when the malicious input is processed in the system's Python environment, allowing the attacker to execute arbitrary commands. The vulnerable parameter is linked to the request body that includes the malicious extension type. When the crafted request is sent, the system fails to properly validate the input, allowing the attacker to exploit the vulnerability.

If exploited, this vulnerability could allow attackers to execute arbitrary code on the system running PyArrow, which could lead to a complete compromise of the affected machine. The attacker could gain access to sensitive data, install malicious software, or take control of the system to launch further attacks. Since the issue involves remote code execution, it poses a critical security risk, particularly in environments where PyArrow is used to process sensitive or high-value data. Systems exposed to the internet or improperly secured are especially vulnerable to this type of attack. This vulnerability also increases the risk of additional exploit chains that could leverage the initial RCE to escalate privileges or persist in the compromised system.

REFERENCES

• https://nvd.nist.gov/vuln/detail/CVE-2023-47248
• https://www.cve.org/CVERecord?id=CVE-2023-47248
• https://github.com/apache/arrow/commit/f14170976372436ec1d03a724d8d3f3925484ecf
• https://github.com/smolse/poc-or-gtfo/tree/main/CVE-2023-47248