Whisk-y business: How Apache OpenWhisk hole left IBM Cloud Functions at risk of hijacking
Now-patched vulnerability let attackers overwrite code
By Shaun Nichols
IBM has patched a critical vulnerability in its Cloud Functions platform
that would have allowed miscreants to remotely overwrite customers'
code – and execute malicious commands to hijack services.
The flaws, designated CVE-2018-11756 and CVE-2018-11757, are actually
present in Apache OpenWhisk, a component Big Blue uses to provide
so-called serverless functions. The concept of serverless, essentially,
reduces web and backend applications to blocks of code, aka functions,
called by applications over the internet. Rather than deploy your code
on physical host servers or virtual machines, you break it into
functions and run them in the cloud on demand to incoming requests –
saving you having to maintain and update the underlying servers, and pay
to rent whole servers, hence the term "serverless."
Anyway, the OpenWhisk bugs were discovered and reported to both IBM and
Apache by researchers at infosec biz PureSec. The flaws lie in the way
OpenWhisk received and processed incoming HTTP-based REST API calls. In
particular, it would allow someone to request /init, allowing them to
reinitialize the Docker container holding the serverless code, and
overwrite the functions so that, in future, malicious code would run
rather than the intended scripts.
Here's an example REST API call PureSec provided to scribble over a customer's installation:
POST /init HTTP/1.1
Host: localhost:8080
Content-Type: application/json
Content-Length: 91
Connection: close
{
"value": {
"code": "def main(dict):ntreturn {"msg":"FOOBAR"}n"
}
}
In short, the bug lets miscreants overwrite backend code and run it. That's… very bad.
"Based on our research, under certain conditions, a remote attacker may
overwrite the source code of the serverless function (referred to as
'action' in the OpenWhisk platform) being executed and influence
subsequent executions of the same function in the same runtime
container," PureSec CTO Ory Segal explained today.
"An attacker that manages to overwrite or modify the code of the
serverless function can then perform further actions such as leaking
sensitive data during subsequent executions, which may belong to other
end-users."
Here's a video of the issue:
PureSec said it flagged up the vulnerability in June along with a proposed mitigation that has since been implemented.
"The security of functions is an important tenet of serverless
computing," said Rodric Rabbah, one of the creators of Apache OpenWhisk.
"The Apache OpenWhisk community thanks PureSec and its research team
for improving the OpenWhisk platform and making it more secure."
Rabbah also wrote up his thoughts on serverless function security, here.
Now-patched vulnerability let attackers overwrite codeWith the fix now in place, PureSec said OpenWhisk – and IBM Cloud Functions – now prevent the attack by only allowing init to run when the container is first created. If you're also using OpenWhisk for your own stuff, make sure you're using the latest version to pick up the security fix.
https://www.geezgo.com/sps/32152
No comments