Threat: Package Origin Spoofing
Description: An attacker creates a malicious Habitat package and signs it with a spoofed origin name, mimicking a trusted source. If systems are configured to trust this spoofed origin, the attacker can distribute malicious packages, tricking systems into downloading and installing compromised packages, potentially gaining initial access and deploying backdoors or malware.
Impact: System compromise, data breach, malware infection.
Affected Habitat Component: Packages, Origins, Builder
Risk Severity: Critical
Mitigation Strategies:
- Enforce Strict Origin Verification in Supervisors and Builder.
- Utilize Package Signing and Verification.
- Secure the Builder Infrastructure to prevent unauthorized package creation.
Threat: Package Tampering
Description: An attacker intercepts a legitimate Habitat package after it's built and signed but before deployment. The attacker can then inject malicious code, alter configurations, or modify dependencies within the package, leading to system compromise, data breach, malware infection, or service malfunction.
Impact: System compromise, data breach, malware infection, service malfunction.
Affected Habitat Component: Packages, Builder, Supervisor
Risk Severity: Critical
Mitigation Strategies:
- Implement End-to-End Package Signature Verification throughout the package lifecycle.
- Use Secure Package Storage and Distribution channels (private repositories, HTTPS).
- Utilize Immutable Package Storage to prevent post-build modifications.
Threat: Supervisor Binary Tampering
Description: An attacker gains access to a system and replaces the legitimate Supervisor binary with a malicious version. This compromised Supervisor can then control managed applications, gain system access, escalate privileges, or exfiltrate data from the host or managed applications.
Impact: Full system compromise, data breach, complete loss of control over managed applications.
Affected Habitat Component: Supervisor Binary, Operating System
Risk Severity: Critical
Mitigation Strategies:
- Secure the Supervisor Installation Process (trusted sources, secure channels).
- Implement File System Integrity Monitoring for Supervisor binaries and critical files.
- Harden the Operating System to prevent unauthorized file modifications.
Threat: Supervisor Privilege Escalation
Description: An attacker exploits vulnerabilities in the Supervisor binary or its interaction with the operating system. This can allow them to gain root or elevated privileges on the host system, leading to full system compromise and complete loss of control over the host and managed applications.
Impact: Full system compromise, complete loss of control over the host and managed applications.
Affected Habitat Component: Supervisor Binary, Operating System
Risk Severity: Critical
Mitigation Strategies:
- Regularly Update the Supervisor to patch known vulnerabilities.
- Apply Principle of Least Privilege for Supervisor execution (avoid running as root, use user namespaces).
- Harden the Operating System to reduce the attack surface.
Description: An attacker deploys a rogue Supervisor into the Habitat gossip network. This rogue Supervisor can disrupt service discovery, manipulate service groups, or inject malicious gossip data, potentially leading to service disruption, data corruption, or compromise of services managed by legitimate Supervisors.
Impact: Service disruption, data corruption, potential compromise of services managed by legitimate Supervisors.
Affected Habitat Component: Supervisor, Gossip Protocol, Service Groups
Risk Severity: High
Mitigation Strategies:
- Enable Gossip Encryption and Authentication.
- Implement Network Segmentation for the gossip network.
- Establish robust Supervisor Identity Management.
Description: An attacker compromises a Supervisor or performs a man-in-the-middle attack on the gossip network. They can then inject malicious configuration changes, weaken security settings, or disrupt service functionality by altering service configurations on running Supervisors through crafted gossip messages.
Impact: Service disruption, security compromise, data corruption, potential system compromise.
Affected Habitat Component: Gossip Protocol, Configuration Management, Supervisors
Risk Severity: High
Mitigation Strategies:
- Enable Gossip Encryption and Authentication.
- Implement Configuration Change Auditing.
- Enforce Role-Based Access Control for Configuration Management.
Description: Developers accidentally include secrets (API keys, passwords, certificates) directly within Habitat packages or configuration files. This can lead to secrets leakage if packages are publicly accessible or configurations are not properly secured, potentially resulting in unauthorized access to systems or resources.
Impact: Data breach, unauthorized access to systems and resources, compromise of sensitive information.
Affected Habitat Component: Packages, Configuration Templates, Secrets Management
Risk Severity: High
Mitigation Strategies:
- Utilize External Secrets Management (Habitat Secrets, Vault, AWS Secrets Manager).
- Ensure Secure Configuration Storage with restricted access.
- Conduct Code Reviews and Security Scans to identify and remove embedded secrets.
Description: An attacker exploits vulnerabilities or insecure practices within package lifecycle hooks (init, run, configure). This can allow them to execute arbitrary code with elevated privileges if hooks are run with such privileges, potentially leading to system compromise or data breach.
Impact: System compromise, data breach, potential for persistent malware installation.
Affected Habitat Component: Packages, Lifecycle Hooks, Supervisor
Risk Severity: High
Mitigation Strategies:
- Follow Secure Package Development Practices for lifecycle hooks (avoid untrusted commands, privileged operations).
- Implement Input Validation and Sanitization in lifecycle hooks.
- Apply Principle of Least Privilege when executing lifecycle hooks (avoid running as root if possible).