A “critical” vulnerability in the Oracle Cloud Infrastructure could have been exploited by any customer to read and write other OCI customers’ data without authorization checks, according to security researchers at Wiz.
Fortunately, the IT giant patched the vulnerability “within 24 hours” of reporting the bug to Oracle, according to Wiz’s Elad Gabay. The good news is that the fix required no action from customers.
Essentially, the error described by Wiz could be exploited as follows: If you know the Oracle Cloud Identifier for another customer’s storage volume – which is no secret – you could attach this volume to your own virtual machine in Oracle’s cloud as long as the volume is not was already attached or supported multiple attachments. So get the identifier, mount a volume, access it as if it were yours, including all sensitive information on it. Oracle’s infrastructure has not verified that you are authorized to attach the storage.
The flaw, dubbed AttachMe by Wiz — a cloud security outfit, natch — serves as a cautionary tale about vulnerabilities in cloud isolation and how attackers can exploit those flaws to “break through the walls between tenants,” Gabay wrote earlier today.
Let’s hope the Wiz team found the bug before criminals did. Exploiting AttachMe could have allowed an attacker to scan storage for valuable information or dig deeper into a victim’s cloud environment by modifying programs to contain backdoors and malware, the security researchers said.
Gaining write access, Gabay explained, “could be used to manipulate any data on the volume, including the operating system’s runtime (e.g. by modifying binaries), allowing code execution via the remote compute instance and a foot in the Victim’s cloud environment could be obtained once the volume is used to boot a machine.”
Wiz engineers discovered the bug over the summer while building an OCI connector for their own tech stack. During this process, they found that they could attach any available virtual disk to their own VM instances. We’re told that it’s fairly easy to find someone’s Oracle Cloud Identifier via a web search or by using a low-privileged user permission to read the identifier from the victim’s environment.
After obtaining the victim’s volume ID, a rogue would need to spin up a compute instance in the same Availability Domain (AD) as the target volume. Once attached, the attacker gains read and write permissions for the volume.
No one at Oracle could be reached for comment.
Wiz’ research director Shir Tamari, in a series of tweets of the vulnerability that the root cause was the lack of permissions checking in the AttachVolume API. It was also the first time that Wiz researchers looking for this type of cross-tenant vulnerability in different clouds found one in a cloud service provider’s infrastructure, hey written down.
Earlier this year, Wiz researchers found a similar cloud isolation vulnerability affecting a specific cloud service in Azure. These bugs, fixed by Microsoft, were in the Azure Database for PostgreSQL Flexible Server authentication process.
If exploited, they could have allowed any Postgres administrator to gain superuser privileges and access other customers’ databases.
Just last month, the cloud security shop said the same type of PostgreSQL bug was also affected Google Cloud Services. ®
https://www.theregister.com/2022/09/21/oracle_fixes_critical_cloud_vuln/ Oracle Cloud Fixes “Critical” Data Access Vulnerability • The Register