This is the first publicly-disclosed vulnerability in a serverless platform.
Experts at IBM (The International Business Machines Corporation) have patched a critical vulnerability in its Cloud Functions which if exploited could allow remote malicious hackers to replace company’s serverless code with their own.
Once the changes took effect, hackers could have extracted sensitive customer data including login credentials, credit card numbers, delete or modify data, conducting distributed denial-of-service (DDoS) attacks, and even use the server to mine cryptocurrencies.
The vulnerability was identified [PDF] and reported by IT security researchers at an Israeli serverless security provider PureSec. The vulnerability existed in Apache OpenWhisk, a serverless, open source cloud platform used by thousands of renowned companies around the globe including IBM.
“An attacker that manages to overwrite or modify the code of the serverless function can then perform further actions such as leaking sensitive data during subsequent executions, which may belong to other end-users,” said PureSec’s CTO Ory Segal.
Tracked as CVE-2018-11756 and CVE-2018-11757, the vulnerability is the first publicly-disclosed one in a serverless platform. The good news, however, is that not only IBM has patched the vulnerability before it could be exploited, PureSec researchers also informed OpenWhisk team with a suggested fix, which mitigates the risk. As a result, Apache has also released a patch while researchers suggest that Apache Openwhisk users should update to the latest version immediately.
“Upon receiving and validating the details on this weakness from PureSec, the Apache OpenWhisk team reviewed and pushed a fix which mitigates the risk for OpenWhisk users,” said RODRIC RABBAH, creator of Apache OpenWhisk project. “We would like to thank PureSec, their contribution to serverless security has helped to make the OpenWhisk platform more secure.”
“The security of functions is an important tenet of serverless computing. The Apache OpenWhisk community thanks PureSec and its research team for improving the OpenWhisk platform and making it more secure,” added Rabbah.
PureSec has also made a video showing the vulnerability in action:
Image credit: Depositphotos