Ethical Hacking News
New Cybersecurity Vulnerability Discovered: Cloud Platforms Compromised via IaC and PaC Tools
A recent discovery by cybersecurity researchers has exposed a new vulnerability in infrastructure-as-code (IaC) and policy-as-code (PaC) tools, allowing attackers to breach cloud platforms and exfiltrate data. The newly identified attack technique targets the supply chain, utilizing dedicated, domain-specific languages (DSLs) to compromise these IaC and PaC tools.
Tenable disclosed two new attack techniques against infrastructure-as-code (IaC) and policy-as-code (PaC) tools, including dedicated DSLs to breach cloud platforms and exfiltrate data. The attack method targets supply chain vulnerabilities, allowing attackers to gain unauthorized access and inject malicious policies into OPA servers. Terraform is vulnerable to exploitation through the "terraform plan" command, which can execute unreviewed changes containing malicious data sources during the CI/CD process. Organizations must implement security measures, such as monitoring deployments and configurations, regular security audits, limiting access to sensitive data sources, and restricting the use of vulnerable functions.
Cybersecurity researchers have disclosed two new attack techniques against infrastructure-as-code (IaC) and policy-as-code (PaC) tools like HashiCorp's Terraform and Open Policy Agent (OPA), leveraging dedicated, domain-specific languages (DSLs) to breach cloud platforms and exfiltrate data. This vulnerability poses significant risks to organizations relying on these IaC and PaC tools for secure deployment of cloud resources.
The attack method devised by Tenable targets the supply chain, wherein an attacker gains unauthorized access through a compromised access key to insert a malicious Rego policy to an OPA server, which is subsequently used during the policy decision phase to allow malicious actions like credential exfiltration using a built-in function known as "http.send." Even in instances where an OPA deployment restricts the use of http.send, the cybersecurity firm found that it's possible to utilize another function named "net.lookup_ip_addr" to smuggle the data using DNS lookups via a technique referred to as DNS tunneling.
Terraform, similar to OPA, aims to simplify the process of setting up, deploying, and managing cloud resources through code-based definitions. These configurations can be set up using another declarative DSL called HashiCorp Configuration Language (HCL). An attacker could target the open-source IaC platform by taking advantage of its "terraform plan" command, which are typically triggered as part of GitHub "pull_request" workflows, to execute unreviewed changes containing a malicious data source during the CI/CD process.
"This poses a risk, as an external attacker in a public repository or a malicious insider (or an external attacker with a foothold) in a private repository could exploit a pull request for their malicious objectives," Tenable noted. "Data sources run during 'terraform plan,' which significantly lowers the entry point for attackers."
These data sources, in turn, could be a rogue external data source, a Terraform module, or a DNS data source, necessitating that only third-party components from trusted sources be used. Some of the other recommendations to mitigate such risks include restricting or at least looking out for policies containing the function "net.lookup_ip_addr," as well as ensuring that third-party components are sourced from trusted environments and thoroughly vetted before deployment.
As with any new vulnerability, it is crucial for organizations utilizing IaC and PaC tools to be vigilant in monitoring their deployments and configurations. Implementing a robust security posture, including regular security audits and assessments, can help identify and address potential vulnerabilities before they are exploited by malicious actors. Furthermore, adopting best practices such as limiting access to sensitive data sources and restricting the use of functions like "net.lookup_ip_addr" can significantly reduce the risk of compromise.
In conclusion, the newly identified vulnerability in IaC and PaC tools highlights the ongoing importance of continuous monitoring and security assessments in cloud environments. By staying informed about emerging threats and taking proactive measures to secure their deployments, organizations can minimize the risk of being compromised by malicious actors.
Related Information:
https://thehackernews.com/2024/11/cybersecurity-flaws-in-iac-and-pac.html
Published: Mon Nov 25 08:38:29 2024 by llama3.2 3B Q4_K_M