Closed adanalvarez closed 1 year ago
christophetd
commented
1 year ago Thanks for the PR! Looks great overall, just one question: assuming the malicious Lambda layer would be created as part of the attack (it doesn't seem to be a pre-requirement for the attack to happen), should it be created at detonation time?
adanalvarez
commented
1 year ago Thanks for the PR! Looks great overall, just one question: assuming the malicious Lambda layer would be created as part of the attack (it doesn't seem to be a pre-requirement for the attack to happen), should it be created at detonation time?
Yes, if the Lambda layer is created as part of the attack, then it makes sense for it to be created at detonation time. I didn't approach it this way because my main focus was on updating the Lambda function rather than creating the layer. The attacker does not need to create the layer in the same account; they might already have the layer in an account they control. To avoid people creating alerts searching for a layer creation event that might not occur, I thought it best to set it as a prerequisite.
christophetd
commented
1 year ago sounds fair, thanks!
What does this PR do?
Motivation
2 weeks ago, AWS published an article about how to enhance runtime security using lambda extensions.
An attacker can abuse this same technique to gain persistence. Last year, ClearVector described in detail how to perform this attack in this article.
Because a Lambda can use layers from other accounts, an attacker with access to a lambda can add a new layer to compromise the lambda without changing the code.
The extension created by the terraform is not malicious. It is the one from this example. (I didn't install the requirements as the main goal is not to make the extension work, and installing requirements will make the base64 extremely large)
Checklist