Security misconfigurations, careless use of third-party components, and malicious exploits of development supply chain vulnerabilities need to be reined-in
New attack techniques have been uncovered in the Domain-Specific Languages (DSLs) of popular policy-as-code (PaC) and infrastructure-as-code (IaC) platforms that can lead to compromised cloud identities, lateral movement, and data exfiltration.
DSLs are hardened languages with limited capabilities, which are thereby supposed to be more secure than standard programming languages. However, these frameworks are often assumed secure by default — leaving an open door for attackers to exploit.
In CVE-2024-8260, the SMB force-authentication vulnerability is described to exist in all versions of OPA for Windows prior to v0.68.0, allowing a user to pass an arbitrary Server Message Block share instead of a Rego file as an argument to the OPA command line interface, or to one of the OPA Go library’s functions.
An attacker who compromises the policy supply chain can insert malicious Rego policies that will be executed during policy evaluation, to achieve malicious objectives like credentials exfiltration or data leaking.
In IaC platforms, two kinds of third-party components (Modules and Providers) are commonly used for efficiency, and even for enhanced security when used properly. However, if used carelessly, they can introduce a serious supply chain risk. Under certain conditions involving specific overlooked misconfigurations, adversaries can manipulate such vulnerabilities through third-party components to achieve code execution of unreviewed code, opening stealthy paths for malicious insiders or external attackers.
This finding highlights the importance of rethinking security strategies around PaC and IaC deployments.
According to Tenable, the firm disclosing the new attack techniques, best practices for preventing exploits include: applying role-based access control and the principle of least privilege in running IaC or PaC frameworks (via API and associated cloud roles); using only trusted third-party components; setting up application-level and cloud-level logging for monitoring and analysis; using OPA’s capabilities.json file to restrict outbound network connections; and preventing automatic execution of unreviewed and potentially malicious code in CI/CD pipelines by pre-emptive scanning (before deploying the IaC plan) using custom policies according to organizational and specific development environment baseline needs.
