Check the status of CVEs. Learn More.
Keeping your systems up 100% of the time requires live patching. Our solutions will align strongly with your risk, compliance, and operational uptime requirements.
TuxCare is trusted by the most innovative companies across the globe.
Learn about TuxCare's modern approach to reducing cybersecurity risk with Blogs, White Papers, and more.
Continually increasing Cybersecurity, stability, and availability of Linux servers and open source software since 2009.
TuxCare provides live security patching for numerous industries. Learn how TuxCare is minimizing risk for companies around the world.
2x a month. No spam.
December 13, 2022 - TuxCare expert team
Wiz security researchers discovered Hell’s Keychain, a first-of-its-kind cloud service provider supply-chain vulnerability, in IBM Cloud Databases for PostgreSQL.
This occurred while researchers were conducting a routine audit of IBM Cloud’s PostgreSQL-as-a-service to determine whether they could escalate privileges to become superusers, allowing them to execute arbitrary code on the underlying virtual machine and continue challenging internal security boundaries from there.
They are made up of three exposed secrets: the Kubernetes service account token, the private container registry password, and the CI/CD server credentials. They were combined with overly permissive network access to internal build servers, potentially allowing attackers to launch a supply chain attack on cloud customers by breaching internal IBM Cloud services and disrupting the hosted system’s internal image-building process.
There’s also a forbidden link, which represents network access and connects a production environment to its build environment, and The keychain, which represents the collection of one or more scattered secrets discovered by the attacker throughout the target environment. Either scenario is unsanitary but not dangerous on its own. However, when combined, they form a deadly combination , according to the researchers.
Hell’s Keychain starts with a SQL injection flaw in ICD, which grants an attacker superuser (aka “ibm”) privileges, which are then used to execute arbitrary commands on the underlying virtual machine that hosts the database instance.
This capability is used to gain access to a Kubernetes API token file, allowing for broader post-exploitation efforts such as retrieving container images from IBM’s private container registry, which stores images related to ICD for PostgreSQL, and scanning those images for additional secrets.
“Modifications to the PostgreSQL engine effectively introduced new vulnerabilities to the service,” the researchers wrote. “These vulnerabilities could have been exploited by a malicious actor as part of an extensive exploit chain culminating in a supply-chain attack on the platform.”
Wiz went on to say that it could extract internal artifact repository and FTP credentials from image manifest files, effectively granting unrestricted read-write access to trusted repositories and IBM build servers.
Although IBM stated that the bug could have affected its Cloud Databases for PostgreSQL instances, it found no evidence of malicious activity using the PostgreSQL privilege escalation via SQL Injection, and it has since patched the vulnerability for all of its customers. There is no need for the customer to take any action.
The sources for this piece includes an article in TheHackerNews.
Learn About Live Patching with TuxCare
According to CyberArk researchers, GPT-based models like ChatGPT can be...
Malicious hackers have started exploiting a critical vulnerability CVE-2022-44877 in...
Deep Instinct researchers reported that RATs like StrRAT and Ratty...
According to CircleCI’s CTO, Rob Zuber, CircleCI is working with...
A remote attacker could exploit multiple vulnerabilities in four Cisco...
In a notable IcedID malware attack, the assailant impacted the...