IBM has mounted a high-severity safety vulnerability affecting its Cloud Databases (ICD) for PostgreSQL product that could possibly be doubtlessly exploited to tamper with inside repositories and run unauthorized code.
The privilege escalation flaw (CVSS rating: 8.8), dubbed “Hell’s Keychain” by cloud safety agency Wiz, has been described as a “first-of-its-kind supply-chain assault vector impacting a cloud supplier’s infrastructure.”
Profitable exploitation of the bug may allow a malicious actor to remotely execute code in clients’ environments and even learn or modify information saved within the PostgreSQL database.
“The vulnerability consists of a series of three uncovered secrets and techniques (Kubernetes service account token, non-public container registry password, CI/CD server credentials) coupled with overly permissive community entry to inside construct servers,” Wiz researchers Ronen Shustin and Shir Tamari stated.
Hell’s Keychain commences with an SQL injection flaw in ICD that grants an attacker superuser (aka “ibm”) privileges, which is then used to execute arbitrary instructions on the underlying digital machine internet hosting the database occasion.
This functionality is weaponized to entry a Kubernetes API token file, permitting for broader post-exploitation efforts that contain pulling container pictures from IBM’s non-public container registry, which shops pictures associated to ICD for PostgreSQL, and scanning these pictures for added secrets and techniques.
“Container pictures sometimes maintain proprietary supply code and binary artifacts which are the corporate’s mental property,” the researchers defined. “They’ll additionally comprise data that an attacker may leverage to search out further vulnerabilities and carry out lateral motion inside the service’s inside surroundings.”
Wiz stated it was capable of extract inside artifact repository and FTP credentials from the picture manifest information, successfully allowing unfettered read-write entry to trusted repositories and IBM construct servers.
An assault of this type may have extreme ramifications, because it allows the adversary to overwrite arbitrary information which are used within the construct strategy of the PostgreSQL picture, which might then be put in on each database occasion.
The American expertise big, in an unbiased advisory, stated that every one IBM Cloud Databases for PostgreSQL cases have been doubtlessly impacted by the bug, however famous that it discovered no proof of malicious exercise.
It additional acknowledged that the fixes have been robotically utilized to buyer cases and that no additional motion is required. The mitigations have been rolled out on August 22 and September 3, 2022.
“These vulnerabilities may have been exploited by a malicious actor as a part of an intensive exploit chain culminating in a supply-chain assault on the platform,” the researchers stated.
To mitigate such threats, it is beneficial that organizations monitor their cloud environments for scattered credentials, implement community controls to stop entry to manufacturing servers, and safeguard towards container registry scraping.
