Oracle Cloud at one point would let you access any other customer's data
chmod a+rw at hyperscale
A "critical" Oracle Cloud Infrastructure vulnerability could have been exploited by any customer to read and write data belonging to any other OCI customer without any permission checks, according to Wiz security researchers.
Luckily, upon disclosing the bug to Oracle, the IT giant patched the security hole "within 24 hours," according to Wiz's Elad Gabay. The good news is that the fix didn't require any action on the part of customers.
Essentially, the flaw, as described by Wiz, could be exploited thus: if you knew the Oracle Cloud Identifier for another customers' storage volume – which is not a secret – you could attach that volume to your own virtual machine in Oracle's cloud as long as the volume wasn't already attached or supported multi-attachment. So, obtain the identifier, attach a volume, access it as if it was yours, including any sensitive information on it. Oracle's infrastructure didn't check that you had permission to attach the storage.
The bug, dubbed AttachMe by Wiz – a cloud security outfit, natch – serves as a cautionary tale about cloud isolation vulnerabilities and how attackers can exploit these flaws to "break the walls between tenants," Gabay wrote earlier today.
Let's hope the Wiz team found the flaw before any criminals did. Exploiting AttachMe could have allowed an attacker to mine storage for valuable information or burrow deeper into a victim's cloud environment by altering programs to include backdoors and malware, according to the security researchers.
Gaining write access, Gabay explained, "could be used to manipulate any data on the volume, including the operating system runtime (by modifying binaries, for example), thus gaining code execution over the remote compute instance and a foothold in the victim's cloud environment, once the volume is used to boot a machine."
Wiz's engineers discovered the flaw over the summer while building an OCI connector for their own tech stack. During this process, they found they could attach anyone's available virtual disk to their own VM instances. We're told it's fairly easy to find someone's Oracle Cloud Identifier via a web search or by using a low-privileged user permission to read the identifier from the victim's environment.
After obtaining the victim's volume identifier, a miscreant would have to spin up a compute instance in the same Availability Domain (AD) as the target volume. Once attached, the attacker obtains read and write privileges over the volume.
No one at Oracle was available to comment.
- Microsoft fixes cross-account vulns in Azure Database for PostgreSQL service
- Azure's now-fixed Cosmos DB flaw could have been exploited to read, write any database
- Oracle brews Java 19. Mmmm, kinda tastes like RISC-V
- Microsoft fixes Windows security hole likely widely exploited by miscreants
Wiz's head of research Shir Tamari, in a series of tweets about the vulnerability, noted its root cause was the lack of permissions verification in the AttachVolume API. It was also the first time Wiz researchers, who have been poking around various clouds for this type of cross-tenant vulnerabilities, found one in a cloud service provider's infrastructure, he noted.
Earlier this year, Wiz researchers did find a similar cloud isolation vulnerability that impacted a specific cloud service in Azure. These flaws, which Microsoft fixed, were in Azure Database for PostgreSQL Flexible Server's authentication process.
If exploited, they could have allowed any Postgres admin to gain superuser privileges and access other customers' databases.
Just last month, the cloud security shop said this same type of PostgreSQL flaw also affected Google cloud services. ®