Vulnerabilities In Serverless Computing Environments

577

In response to the conversation generated by this cryptomining POC taking advantage of vulnerabilities associated with serverless computing environments, Ori Pekelman, CPO at PaaS provider Platform.sh. commented below.

Ori Pekelman, CPO at Platform.sh.:

“It should go without saying that remote code execution exploits are bad. And using that to target serverless computing environments for cryptomining is a logical progression for hackers, however there are some cautions with this narrative as an organization that works with these environments on a daily basis.

When an attack of this nature, regardless of its objective, happens on platforms that auto-scale with no limits on spending and no monitoring, they absolutely could ramp up your bills at the end of the day. While this is true in theory, the assumption that these services are not monitored or capped is wrong; so is the assumption that remote code execution is normal and happens everywhere on production systems.

Ultimately, organizations should not be running code that is vulnerable to remote code execution. If you can run arbitrary code in there, it is not only bitcoin mining you should worry about. If this is truly the case, that means the attacker has access to whatever the service or application you have running has access to: databases, personal information, etc.

In short, if you apply normal best practices and deploy minimally-secure code, deploying it as a serverless function does not increase your attack surface. Because correctly built serverless architectures usually apply the principal of least privilege (each component scoped to just what it needs), it may in effect reduce the effects of hostile code running in your perimeter. Yes, it may increase, ever so slightly, the motivation to attack you. But these days, you should always assume that anything vulnerable will be exploited.

Up until now, the effects of exploits would be that you would have a massive data breach, but now you also must worry about running out of money to pay the lawyers. But here the mitigation is simple enough: don’t run unmonitored and uncapped services in production – serverless or otherwise.