IBM has fixed a high-severity security vulnerability affecting its Cloud Databases (ICD) for PostgreSQL product that could be potentially exploited to tamper with internal repositories and run unauthorized code.
The privilege escalation flaw (CVSS score: 8.8), dubbed “Hell’s Keychain” by cloud security firm Wiz, has been described as a “first-of-its-kind supply-chain attack vector impacting a cloud provider’s infrastructure.”
Successful exploitation of the bug could enable a malicious actor to remotely execute code in customers’ environments and even read or modify data stored in the PostgreSQL database.
“The vulnerability consists of a chain of three exposed secrets (Kubernetes service account token, private container registry password, CI/CD server credentials) coupled with overly permissive network access to internal build servers,” Wiz researchers Ronen Shustin and Shir Tamari said.
Hell’s Keychain commences with an SQL injection flaw in ICD that grants an attacker superuser (aka “ibm”) privileges, which is then used to execute arbitrary commands on the underlying virtual machine hosting the database instance.
This capability is weaponized to access a Kubernetes API token file, allowing for broader post-exploitation efforts that involve pulling container images from IBM’s private container registry, which stores images related to ICD for PostgreSQL, and scanning those images for additional secrets.
“Container images typically hold proprietary source code and binary artifacts that are the company’s intellectual property,” the researchers explained. “They can also contain information that an attacker could leverage to find additional vulnerabilities and perform lateral movement within the service’s internal environment.”
Wiz said it was able to extract internal artifact repository and FTP credentials from the image manifest files, effectively permitting unfettered read-write access to trusted repositories and IBM build servers.
An attack of this kind could have severe ramifications, as it enables the adversary to overwrite arbitrary files that are used in the build process of the PostgreSQL image, which would then be installed on every database instance.
The American technology giant, in an independent advisory, said that all IBM Cloud Databases for PostgreSQL instances were potentially impacted by the bug, but noted that it found no evidence of malicious activity.
It further stated that the fixes have been automatically applied to customer instances and that no further action is required. The mitigations were rolled out on August 22 and September 3, 2022.
“These vulnerabilities could have been exploited by a malicious actor as part of an extensive exploit chain culminating in a supply-chain attack on the platform,” the researchers said.
To mitigate such threats, it’s recommended that organizations monitor their cloud environments for scattered credentials, enforce network controls to prevent access to production servers, and safeguard against container registry scraping.
