Security researchers have discovered a vulnerability in the Apache OpenWhisk serverless platform that could let hackers replace a company's serverless code with their own malicious code instead.
Once running, the replacement code could then be used to extract confidential customer data such as passwords or credit card numbers, modify or delete data, mine cryptocurrencies or perform a DDoS.
The two flaws, CVE-2018-11756 and CVE-2018-11757, were found in Apache Openwhisk, the open source serverless platform that IBM uses to run Cloud Functions. Apache OpenWhisk executes functions in response to events with rapid auto-scaling. It provides a programming model to create functions as cloud-native event handlers, and executes the functions automatically, inside runtime containers, as the events occur. The technology is used in several commercial deployments.
Accoridng to a blog post by researchers at PureSec, under certain conditions, a remote attacker may overwrite the source code of a vulnerable function which is being executed in a runtime container, and influence subsequent executions of the same function in the same container.
"An attacker that manages to overwrite or modify the code of the serverless function can then perform further actions such as leaking sensitive data during subsequent executions within that function, which may belong to other end users," said researchers.
The problem lies in the way that OpenWhisk received and processed incoming HTTP-based REST API calls. The flaw could allow a hacker to request /init, enabling them to reinitialise a Docker container with the serverless code, and overwrite the functions so that afterwards the malicious code would execute rather than the planned scripts.
Researchers drew attention to the flaw in June. PureSec also provided the Apache OpenWhisk team with a suggested fix, which mitigates the risk. Apache has also released a patch, and other users of Apache Openwhisk should update to the latest version immediately.
OpenWhisk has now modified the behaviour r of the actionProxy to allow access to the /init REST endpoint only once (when the container is instantiated), thus blocking any subsequent attempts to access it.
Jim Mackey, senior technical evangelist at Black Duck by Synopsys, told SC Media UK that the vulnerabilities demonstrate how trust of infrastructure impacts the overall security of the applications being delivered.
"Whether the application is traditional, containerised or serverless, the security of the entire delivery stack must be continually monitored. As applications are decomposed into functions deployed in serverless models, the potential attack surface for these application increases and each function should be considered as a distinct deliverable subject to a full security review," he said.
Sam Haria, global SOC manager at Invinsec, told SC Media UK that the reason hackers would exploit this vulnerability is because, if the hacker has the ability and skills to manage to overwrite or modify the code of the serverless function, then they can perform further actions such as leaking personal data during subsequent attacks, along with being able to simultaneously execute other attacks.
"For example, when a genuine user comes and invokes a function that maybe uses their name, national insurance number (social security in the US) and address, the hacked code has the potential to capture in transit and email the information to the attacker. The exploit leaves the door wide open for hackers to exploit, steal or modify anything that resides on these servers with the ability to access other areas within the organisation," he said.