ClickCease IBM Cloud Supply Chain Vulnerability Demonstrates New Threat

Join Our Popular Newsletter

Join 4,500+ Linux & Open Source Professionals!

2x a month. No spam.

IBM Cloud Supply Chain Vulnerability Demonstrates New Threat Class

Obanla Opeyemi

December 13, 2022 - TuxCare expert team

Wiz security researchers discovered Hell’s Keychain, a first-of-its-kind cloud service provider supply-chain vulnerability, in IBM Cloud Databases for PostgreSQL.

This occurred while researchers were conducting a routine audit of IBM Cloud’s PostgreSQL-as-a-service to determine whether they could escalate privileges to become superusers, allowing them to execute arbitrary code on the underlying virtual machine and continue challenging internal security boundaries from there.

They are made up of three exposed secrets: the Kubernetes service account token, the private container registry password, and the CI/CD server credentials. They were combined with overly permissive network access to internal build servers, potentially allowing attackers to launch a supply chain attack on cloud customers by breaching internal IBM Cloud services and disrupting the hosted system’s internal image-building process.

There’s also a forbidden link, which represents network access and connects a production environment to its build environment, and The keychain, which represents the collection of one or more scattered secrets discovered by the attacker throughout the target environment. Either scenario is unsanitary but not dangerous on its own. However, when combined, they form a deadly combination , according to the researchers.

Hell’s Keychain starts with a SQL injection flaw in ICD, which grants an attacker superuser (aka “ibm”) privileges, which are then used to execute arbitrary commands on the underlying virtual machine that hosts the database instance.

This capability is used to gain access to a Kubernetes API token file, allowing for broader post-exploitation efforts such as retrieving container images from IBM’s private container registry, which stores images related to ICD for PostgreSQL, and scanning those images for additional secrets.

“Modifications to the PostgreSQL engine effectively introduced new vulnerabilities to the service,” the researchers wrote. “These vulnerabilities could have been exploited by a malicious actor as part of an extensive exploit chain culminating in a supply-chain attack on the platform.”

Wiz went on to say that it could extract internal artifact repository and FTP credentials from image manifest files, effectively granting unrestricted read-write access to trusted repositories and IBM build servers.

Although IBM stated that the bug could have affected its Cloud Databases for PostgreSQL instances, it found no evidence of malicious activity using the PostgreSQL privilege escalation via SQL Injection, and it has since patched the vulnerability for all of its customers. There is no need for the customer to take any action.

The sources for this piece includes an article in TheHackerNews.

Summary
IBM Cloud Supply Chain Vulnerability Demonstrates New Threat
Article Name
IBM Cloud Supply Chain Vulnerability Demonstrates New Threat
Description
Wiz security researchers discovered Hell's Keychain, a first-of-its-kind cloud service provider supply-chain vulnerability.
Author
Publisher Name
TuxCare
Publisher Logo

Looking to automate vulnerability patching without kernel reboots, system downtime, or scheduled maintenance windows?

Learn About Live Patching with TuxCare

Related Articles

How GPT models can be...

According to CyberArk researchers, GPT-based models like ChatGPT can be...

January 30, 2023

Attackers actively exploit Unpatched Control...

Malicious hackers have started exploiting a critical vulnerability CVE-2022-44877 in...

January 27, 2023

Attackers distribute malware via malicious...

Deep Instinct researchers reported that RATs like StrRAT and Ratty...

January 26, 2023

CircleCI partners AWS to identify...

According to CircleCI’s CTO, Rob Zuber, CircleCI is working with...

January 25, 2023

Cisco warns of authentication bypass...

A remote attacker could exploit multiple vulnerabilities in four Cisco...

January 24, 2023

IceID malware infiltrates Active Directory...

In a notable IcedID malware attack, the assailant impacted the...

January 23, 2023