IBM Cloud Supply Chain Vulnerability Showcases New Threat Class

  /     /     /  
Publicated : 23/11/2024   Category : security


IBM Cloud Supply Chain Vulnerability Showcases New Threat Class


The Hells Keychain attack vector highlights common cloud misconfigurations and secrets exposure that can pose grave risk to enterprise customers.



A vulnerability in IBM Cloud databases for PostgreSQL could have allowed attackers to launch a supply chain attack on cloud customers by breaching internal IBM Cloud services and disrupting the hosted systems internal image-building process.
Security researchers from Wiz discovered the flaw, which they dubbed Hells Keychain. It included a chain of three exposed secrets paired with overly permissive network access to internal build servers, the researchers revealed in a blog post published Dec. 1. 
While now patched, the vulnerability is significant in that it represents a rare supply-chain attack vector impacting the infrastructure of a cloud service provider (CSP), Wiz CTO Ami Luttwak tells Dark Reading. The discovery also uncovers a class of PostgreSQL vulnerabilities affecting most cloud vendors, including Microsoft Azure and Google Cloud Platform.
This is a first-of-a-kind supply-chain attack vector, showing how attackers might be able to leverage mistakes in the build process to take over the entire cloud environment, he says.
Specifically, researchers uncovered major risk caused by improper sanitation of build secrets from container images, allowing for an attacker to gain write access to the central container image repository, Luttwak says. This would have allowed the actor to run malicious code in customers’ environments and modify the data stored in the database.
Modifications to the PostgreSQL engine effectively introduced new vulnerabilities to the service, the researchers wrote in
their post
. These vulnerabilities could have been exploited by a malicious actor as part of an extensive exploit chain culminating in a supply-chain attack on the platform.
As mentioned, the ability to use
PostgreSQL
to breach IBM Cloud is not unique to the service provider, researchers said. Wiz already has found similar vulnerabilities in other CSP environments, which they plan to disclose soon and which highlight a broader issue of cloud misconfigurations that pose a supply chain threat to enterprise customers.
The existence of the flaw also highlights how improper management of secrets — or long-lived authentication tokens for cloud APIs or other enterprise systems — can impose a high risk of unwanted intrusion by attackers on an organization using a cloud provider, Luttwak says.
Finding and utilizing exposed secrets is the No. 1 method for lateral movement in cloud environments, he says.
For now, the researchers said they worked with IBM to remedy the issue in IBM Cloud and no customer mitigation action is required.
Researchers were doing a typical audit of IBM Clouds PostgreSQL-as-a-service to find out if they could escalate privileges to become a superuser, which would allow them to execute arbitrary code on the underlying virtual machine and continue challenging internal security boundaries from there.
Based on their experience, they said the ability to carry out a supply chain attack on a CSP lies in two key factors: the forbidden link and the keychain.
The forbidden link represents network access — specifically, it is the link between a production environment and its build environment, the researchers wrote. The keychain, on the other hand, symbolizes the collection of one or more scattered secrets the attacker finds throughout the target environment.
On its own, either scenario is unhygienic, but not critically dangerous. However, they form a fatal compound when combined, the researchers said.
Hell’s Keychain held three specific secrets: a Kubernetes service account token, a private container registry password, and continuous integration and delivery (CI/CD) server credentials.
Combining this chain with the so-called forbidden link between Wizs personal PostgreSQL instance and IBM Cloud databases’ build environment allowed researchers to enter IBM Cloud’s internal build servers and manipulate their artifacts, the researchers said.
The scenario presented in Hells Keychain represents a broader problem within
the cloud security community
that demands attention and remediation, the researchers said. To wit: scattered plaintext credentials that are found across cloud environments that impose a huge risk on an organization, impairing service integrity and tenant isolation, they said.
For this reason, secret scanning at all stages of the pipeline is crucial, including in CI/CD, code repo, container registries, and within the cloud, Luttwak says.
Furthermore, lockdown of privileged credentials to the container registry is crucial, as these credentials are often overlooked but are actually the keys to the kingdom, he adds.
CSP customers also should consider image signing verification via admission controllers to ensure these sort of attacks are prevented entirely, Luttwak says.
Hells Keychain also highlights a
common misconfiguration
in the use of the popular
Kubernetes API
for container management within the cloud — pod access, which can lead to unrestricted container registry exposure, he says.
Another best practice the researchers recommend is any organization — CSP or otherwise — deploying a cloud environment can take is to impose strict network controls between the Internet-facing environment and the organizations internal network in the production environment, so attackers cant gain a deeper foothold and maintain persistence if they do manage to breach it.

Last News

▸ Researchers create BlackForest to gather, link threat data. ◂
Discovered: 23/12/2024
Category: security

▸ Travel agency fined £150,000 for breaking Data Protection Act. ◂
Discovered: 23/12/2024
Category: security

▸ 7 arrested, 3 more charged in StubHub cyber fraud ring. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
IBM Cloud Supply Chain Vulnerability Showcases New Threat Class