Keeping up with new threats to serverless and cloud native applications is a minute-by-minute task. Although serverless applications do not run on your servers, they still execute code. This means attackers can, on their side, execute malicious code and compromise your cloud resources in case your application has a vulnerability. Add to it the fact that most functions in the serverless architecture use 3rd party libraries for their data serialization, and you got yourself a serious weakness in your serverless application.
Protego’s Zero-Day Defense feature enables us to learn and create a white-list profile for each function, based on its legitimate behavior. This means that we can easily detect and block any anomaly, even if the attacker was able to bypass the first line of defense, like a Firewall or any other signature based defense mechanism.
Zero-Day Attacks in the Serverless Environment
Let’s inspect this feature against a recent zero-day attack. Between April and May of this year, a deserialization zero-day vulnerability (CVE-2019-2725), targeting Oracle WebLogic Server was discovered. This remote code-execution-vulnerability is remotely exploitable without authentication. For example, it may be exploited over a network without the need for a username and password.
This vulnerability is exploitable by anyone with HTTP access to the server which the bug has a CVSS score of 9.8/10, and can be easily projected to the serverless environment. Serialization and Deserialization are very common in serverless applications, dealing with JSON or other language-native-objects, which makes this attack very much valid when referring to serverless applications.
However, the impact of such attack is usually limited to what the serverless function is allowed to do within the system. If the function can read data from the database, so can the attacker. If the function has more excessive permissions, then the attacker may be able to delete data and files from other cloud resources, leading to a serious security disaster.
But how can this vulnerability be exploited? The attacker can manage to execute the following command, which will first download a file using wget and then execute it using cmd.exe
Protego’s Zero-Day Attack Feature in Action
For the attack described above, Protego would detect it on three different levels:
- The function is executing the processes powershell.exe and wget
- The function is connecting to an unknown remote host (188[.]166[.]74[.]218)
- The function is trying to execute the file %TEMP%\\radm.exe
If any of the above behaviors were not originally detected and white-listed by Protego, any attack attempt would be detected and blocked instantly, preventing a security crisis in the making.