===================================================================== CERT-Renater Note d'Information No. 2023/VULN312 _____________________________________________________________________ DATE : 12/09/2023 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Terraform versions prior to 1.5.7. ===================================================================== https://discuss.hashicorp.com/t/hcsec-2023-27-terraform-allows-arbitrary-file-write-during-init-operation/58082 _____________________________________________________________________ HCSEC-2023-27 - Terraform Allows Arbitrary File Write During Init Operation Security security-terraform Bulletin ID: HCSEC-2023-27 Affected Products / Versions: Terraform 1.0.8 through 1.5.6; fixed in 1.5.7. Publication Date: September 8, 2023 Summary Terraform 1.0.8 through 1.5.6 allows arbitrary file write during the init operation if run on maliciously crafted Terraform configuration. This vulnerability, CVE-2023-4782, was fixed in Terraform 1.5.7. Background The core Terraform workflow uses 3 main operations; init, plan, and apply. The Terraform init operation initializes a working directory containing Terraform configuration files, downloading the required modules and providers for subsequent plan and apply operations. While both the plan and apply operations are intended to execute the user-supplied Terraform configuration, init is intended only to be used for installing dependencies specified in the Terraform configuration. Details An external party reported that it was possible to coerce Terraform into writing arbitrary files during the init operation by supplying a maliciously crafted Terraform configuration. Terraform considers the provided Terraform configuration to be trusted when executing plan and apply, and does not attempt to defend against malicious modules and providers when executing these operations. By contrast, init is intended to be a safer operation, allowing users to review the installed modules and providers prior to executing plan or apply. Exposure associated with this issue will depend on the environment in which Terraform is being executed and, for many deployments, may present minimal additional risk. In order for this vulnerability to pose a privilege escalation risk, the following conditions must be met: Terraform init is run on untrusted Terraform configuration, or Terraform configuration containing untrusted modules. The Terraform user is relying on security validations performed on the dependencies installed by Terraform init prior to running the Terraform plan or apply operations. Terraform Cloud and Terraform Enterprise combine the init and plan operations during Terraform runs, so this issue does not break the documented security model. Recommendations for secure use, specifically regarding use of trusted providers / modules and control of access to configuration source code, remain applicable. Remediation Customers should evaluate the risk associated with this issue, specifically with the conditions above in mind, and consider upgrading to Terraform 1.5.7 or newer. Acknowledgement HashiCorp thanks Lum14n of Eagle Cloud Security Technology for the discovery of this issue. We deeply appreciate any effort to coordinate disclosure of security vulnerabilities. For information about security at HashiCorp and the reporting of security vulnerabilities, please see https://hashicorp.com/security. ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================