Breaking News

Whisk-y business: How Apache OpenWhisk hole left IBM Cloud Functions at risk of hijacking

Now-patched vulnerability let attackers overwrite code
By Shaun Nichols

IBM has patched a critical vulnerability in its Cloud Functions platform that would have allowed miscreants to remotely overwrite customers' code – and execute malicious commands to hijack services.

The flaws, designated CVE-2018-11756 and CVE-2018-11757, are actually present in Apache OpenWhisk, a component Big Blue uses to provide so-called serverless functions. The concept of serverless, essentially, reduces web and backend applications to blocks of code, aka functions, called by applications over the internet. Rather than deploy your code on physical host servers or virtual machines, you break it into functions and run them in the cloud on demand to incoming requests – saving you having to maintain and update the underlying servers, and pay to rent whole servers, hence the term "serverless."

Anyway, the OpenWhisk bugs were discovered and reported to both IBM and Apache by researchers at infosec biz PureSec. The flaws lie in the way OpenWhisk received and processed incoming HTTP-based REST API calls. In particular, it would allow someone to request /init, allowing them to reinitialize the Docker container holding the serverless code, and overwrite the functions so that, in future, malicious code would run rather than the intended scripts.

Here's an example REST API call PureSec provided to scribble over a customer's installation:

POST /init HTTP/1.1
Host: localhost:8080
Content-Type: application/json
Content-Length: 91
Connection: close
"value": {
"code": "def main(dict):ntreturn {"msg":"FOOBAR"}n"

In short, the bug lets miscreants overwrite backend code and run it. That's… very bad.

"Based on our research, under certain conditions, a remote attacker may overwrite the source code of the serverless function (referred to as 'action' in the OpenWhisk platform) being executed and influence subsequent executions of the same function in the same runtime container," PureSec CTO Ory Segal explained today.

"An attacker that manages to overwrite or modify the code of the serverless function can then perform further actions such as leaking sensitive data during subsequent executions, which may belong to other end-users."

Here's a video of the issue:

PureSec said it flagged up the vulnerability in June along with a proposed mitigation that has since been implemented.

"The security of functions is an important tenet of serverless computing," said Rodric Rabbah, one of the creators of Apache OpenWhisk. "The Apache OpenWhisk community thanks PureSec and its research team for improving the OpenWhisk platform and making it more secure."

Rabbah also wrote up his thoughts on serverless function security, here.

With the fix now in place, PureSec said OpenWhisk – and IBM Cloud Functions – now prevent the attack by only allowing init to run when the container is first created. If you're also using OpenWhisk for your own stuff, make sure you're using the latest version to pick up the security fix.

No comments