Serverless architectures are increasingly popular, as the cloud provider does most of the heavy lifting, allowing developers to focus on building and running their apps. But this popularity has attracted the scrutiny of threat actors.
Although serverless environments have a relatively reduced attack surface, with certain responsibilities shifted to the cloud provider (CSP), users must be careful not to introduce extra risk. This could happen if they write insecure code, misconfigure assets or fail to properly secure endpoints.
Through exploitation simulations of user-provided code vulnerabilities, we evaluated infected serverless environments on Microsoft Azure. In the process, we identified sensitive environmental variables inside the Microsoft Azure environment, leaving opportunities for malicious actors.
We found two critical issues:
1. Some crucial secrets for Azure serverless environments are stored inside “environment variables.” These variables are present in every process and inherited by default, significantly increasing the chance of exposure. Just one exploited vulnerability in one process could lead to a full compromise of the serverless environment.
2. If Azure customers use a master key for SSH access, it will allow attackers to escalate privileges inside a container with a known password. Users must deploy public key cryptography for authentication to SSH to stay secure.
Azure users should remember that they are responsible for implementing security best practises and policies to supplement Microsoft’s default security measures. Application code is particularly important as it could serve as an entry point for attackers if not properly secured, the report revealed.
We recommended the following for Azure serverless users:
- Follow the CSP’s recommendations for securing environments and projects
- Use vaults to store keys and passwords, even if it incurs additional cost
- Use custom images, which provide more opportunities for out-of-the-box solutions and additional security
- Use encrypted channels and pipelines to lock the values of the variables and ensure sensitive information (e.g., passwords and IDs) remain secret, even in the case of unauthorised access.
- Follow Zero Trust tenets to “assume breach” and minimise the impact of an attack stemming from vulnerability exploitation.
- Follow the principle of least privilege by using a non-privileged user for containers and applications, using managed identities and roles, and limiting public endpoints of linked cloud services. Also, consider using safer mechanisms for generating and managing secrets, such as passwords and API keys.
- Audit and secure all out-of-the-box solutions by performing third-party reviews and following vendors’ best practises for security
We strongly urged organisations using serverless computing services to understand and exercise their responsibility for securing these environments.
To read a full copy of the report, The State of Serverless Security on Microsoft Azure, please visit: https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/exploring-potential-security-challenges-in-microsoft-azure