Cybersecurity researchers have disclosed two new assault methods towards infrastructure-as-code (IaC) and policy-as-code (PaC) instruments like HashiCorp’s Terraform and Open Coverage Agent (OPA) that leverage devoted, domain-specific languages (DSLs) to breach cloud platforms and exfiltrate knowledge.
“Since these are hardened languages with limited capabilities, they’re supposed to be more secure than standard programming languages – and indeed they are,” Tenable senior safety researcher Shelly Raban stated in a technical report printed final week. “However, more secure does not mean bulletproof.”
OPA is a well-liked, open-source coverage engine that enables organizations to implement insurance policies throughout cloud-native environments, equivalent to microservices, CI/CD pipelines, and Kubernetes. Insurance policies are outlined utilizing a local question language known as Rego which is then evaluated by OPA to return a call.
The assault technique devised by Tenable targets the provision chain, whereby an attacker positive factors unauthorized entry by a compromised entry key to insert a malicious Rego coverage to an OPA server, which is subsequently used throughout the coverage resolution part to permit malicious actions like credential exfiltration utilizing a built-in perform referred to as “http.ship.”
Even in situations the place an OPA deployment restricts using http.ship, the cybersecurity agency discovered that it is doable to make the most of one other perform named “internet.lookup_ip_addr” to smuggle the info utilizing DNS lookups by way of a way known as DNS tunneling.
“So, the net.lookup_ip_addr function is another function you might consider restricting or at least looking out for in policies, since it also introduces the risk of data exfiltration from your OPA deployment,” Raban stated.
Terraform, just like OPA, goals to simplify the method of establishing, deploying, and managing cloud assets by code-based definitions. These configurations will be arrange utilizing one other declarative DSL known as HashiCorp Configuration Language (HCL).
An attacker may goal the open-source IaC platform by profiting from its “terraform plan” command, that are usually triggered as a part of GitHub “pull_request” workflows, to execute unreviewed adjustments containing a malicious knowledge supply throughout the CI/CD course of.
“This poses a risk, as an external attacker in a public repository or a malicious insider (or an external attacker with a foothold) in a private repository could exploit a pull request for their malicious objectives,” Tenable famous. “Data sources run during ‘terraform plan,’ which significantly lowers the entry point for attackers.”
These knowledge sources, in flip, could possibly be a rogue exterior knowledge supply, a Terraform module, or a DNS knowledge supply, necessitating that solely third-party parts from trusted sources be used. A few of the different suggestions to mitigate such dangers embrace –
- Implement a granular role-based entry management (RBAC) and comply with the precept of least privilege
- Arrange application-level and cloud-level logging for monitoring and evaluation
- Restrict the community and knowledge entry of the purposes and the underlying machines
- Forestall computerized execution of unreviewed and probably malicious code in CI/CD pipelines
Moreover, organizations can use IaC scanning instruments and options like Terrascan and Checkov to preemptively determine misconfigurations and compliance points previous to deployment.
