IBM Addresses Serious Security Flaw in Cloud Databases for PostgreSQL
IBM has recently patched a significant security vulnerability within its IBM Cloud Databases (ICD) for PostgreSQL service. This flaw, classified with a CVSS score of 8.8 and termed “Hell’s Keychain” by the cybersecurity firm Wiz, poses risks that could allow unauthorized modifications to internal repositories and execution of harmful code.
This vulnerability represents an unprecedented supply-chain attack vector impacting cloud providers, potentially enabling attackers to initiate remote code execution in customer environments. The risk extends to accessing and altering data stored in PostgreSQL databases, posing serious implications for organizations relying on this technology.
Wiz researchers Ronen Shustin and Shir Tamari explained that the vulnerability arises from a sequence of three exposed secrets—a Kubernetes service account token, a private container registry password, and CI/CD server credentials—combined with excessively permissive network access to internal build servers. Once exploited, attackers can execute arbitrary commands on the virtual machine powering the database instance, beginning with an SQL injection flaw that grants superuser privileges.
The ramifications of this vulnerability are extensive, as hackers leveraging this weakness can gain entry to a Kubernetes API token file. This access facilitates further malicious activities, including the retrieval of container images from IBM’s private container registry. Such images often contain proprietary source code and binary artifacts crucial to a company’s intellectual property. Moreover, they can include sensitive information that attackers can exploit to identify more vulnerabilities within the serviced environment.
By extracting internal artifact repository and FTP credentials from image manifest files, Wiz noted that attackers could gain unchecked read-write access to trusted repositories and IBM’s build servers. This enables them to overwrite critical files used in PostgreSQL image building, impacting every instance where the database is deployed.
IBM has acknowledged the potential impact of this vulnerability across all its Cloud Databases for PostgreSQL instances, although no evidence of exploitation has been detected. The company has automatically applied necessary fixes to customer instances, with updates executed on August 22 and September 3, 2022, requiring no further action from users.
The researchers emphasize that these vulnerabilities could have enabled extensive exploit chains, culminating in a comprehensive supply-chain attack on IBM’s platform. They recommend that organizations enhance security measures by actively monitoring cloud environments for exposed credentials, enforcing rigorous network controls to shield production servers, and implementing protections against container registry scraping.
Given the nature of this incident, relevant tactics from the MITRE ATT&CK framework include initial access through SQL injection, persistence via extraction of credentials, and privilege escalation to superuser status. Business owners must remain vigilant in fortifying their cybersecurity defenses against such sophisticated threats, as the landscape continues to evolve.