HCSEC-2023-27 - Terraform Allows Arbitrary File Write During Init Operation

Bulletin ID: HCSEC-2023-27
Affected Products / Versions: Terraform 1.0.8 through 1.5.6; fixed in 1.5.7.
Publication Date: September 8, 2023

Terraform 1.0.8 through 1.5.6 allows arbitrary file write during the init operation if run on maliciously crafted Terraform configuration. This vulnerability, CVE-2023-4782, was fixed in Terraform 1.5.7.

The core Terraform workflow uses 3 main operations; init, plan, and apply.

The Terraform init operation initializes a working directory containing Terraform configuration files, downloading the required modules and providers for subsequent plan and apply operations.

While both the plan and apply operations are intended to execute the user-supplied Terraform configuration, init is intended only to be used for installing dependencies specified in the Terraform configuration.

An external party reported that it was possible to coerce Terraform into writing arbitrary files during the init operation by supplying a maliciously crafted Terraform configuration.

Terraform considers the provided Terraform configuration to be trusted when executing plan and apply, and does not attempt to defend against malicious modules and providers when executing these operations. By contrast, init is intended to be a safer operation, allowing users to review the installed modules and providers prior to executing plan or apply.

Exposure associated with this issue will depend on the environment in which Terraform is being executed and, for many deployments, may present minimal additional risk. In order for this vulnerability to pose a privilege escalation risk, the following conditions must be met:

  1. Terraform init is run on untrusted Terraform configuration, or Terraform configuration containing untrusted modules.
  2. The Terraform user is relying on security validations performed on the dependencies installed by Terraform init prior to running the Terraform plan or apply operations.

Terraform Cloud and Terraform Enterprise combine the init and plan operations during Terraform runs, so this issue does not break the documented security model. Recommendations for secure use, specifically regarding use of trusted providers / modules and control of access to configuration source code, remain applicable.

Customers should evaluate the risk associated with this issue, specifically with the conditions above in mind, and consider upgrading to Terraform 1.5.7 or newer.

HashiCorp thanks Lum14n of Eagle Cloud Security Technology for the discovery of this issue.

We deeply appreciate any effort to coordinate disclosure of security vulnerabilities. For information about security at HashiCorp and the reporting of security vulnerabilities, please see https://hashicorp.com/security.