Cybersecurity researchers have disclosed two new assault methods in opposition to infrastructure-as-code (IaC) and policy-as-code (PaC) instruments like HashiCorp’s Terraform and Styra’s Open Coverage Agent (OPA) that leverage devoted, domain-specific languages (DSLs) to breach cloud platforms and exfiltrate information.
“Since these are hardened languages with restricted capabilities, they’re imagined to be safer than commonplace programming languages – and certainly they’re,” Tenable senior safety researcher Shelly Raban mentioned in a technical report revealed final week. “Nonetheless, safer doesn’t imply bulletproof.”
OPA is a well-liked, open-source coverage engine that permits organizations to implement insurance policies throughout cloud-native environments, equivalent to microservices, CI/CD pipelines, and Kubernetes. Insurance policies are outlined utilizing a local question language known as Rego that are then evaluated by OPA to return a choice.
The assault methodology devised by Tenable targets the provision chain, whereby an attacker good points unauthorized entry via a compromised entry key to insert a malicious Rego coverage to an OPA server, which is subsequently used in the course of the coverage choice part to permit malicious actions like credential exfiltration utilizing a built-in operate often known as “http.ship.”
Even in situations the place an OPA deployment restricts the usage of http.ship, the cybersecurity agency discovered that it is doable to make the most of one other operate named “web.lookup_ip_addr” to smuggle the information utilizing DNS lookups through a method known as DNS tunneling.
“So, the web.lookup_ip_addr operate is one other operate you may think about limiting or a minimum of searching for in insurance policies, because it additionally introduces the danger of knowledge exfiltration out of your OPA deployment,” Raban mentioned.
Terraform, much like OPA, goals to simplify the method of establishing, deploying, and managing cloud sources via code-based definitions. These configurations will be arrange utilizing one other declarative DSL known as HashiCorp Configuration Language (HCL).
An attacker might goal the open-source IaC platform by making the most of its “terraform plan” command, that are usually triggered as a part of GitHub “pull_request” workflows, to execute unreviewed modifications containing a malicious information supply in the course of the CI/CD course of.
“Knowledge sources run throughout ‘terraform plan,’ which considerably lowers the entry level for attackers,” Tenable famous. “This poses a threat, as an exterior attacker in a public repository or a malicious insider (or an exterior attacker with a foothold) in a non-public repository might exploit a pull request for his or her malicious goals.”
These information sources, in flip, may very well be a rogue exterior information supply, a Terraform module shared through public or personal registries, or a DNS information supply, necessitating that solely third-party elements from trusted sources be used. A number of the different suggestions to mitigate such dangers embrace –
- Implement a granular role-based entry management (RBAC) and comply with the precept of least privilege
- Arrange application-level and cloud-level logging for monitoring and evaluation
- Restrict the community and information entry of the purposes and the underlying machines
- Forestall computerized execution of unreviewed and doubtlessly malicious code in CI/CD pipelines
Moreover, organizations can use IaC scanning instruments and options like Terrascan and Checkov to preemptively determine misconfigurations and compliance points previous to deployment.