Vulnerability could have been used to bypass cloud isolation protection

AttachMe Oracle cloud bug exposed volumes to data theft, hijack

Oracle has patched a critical vulnerability in its cloud infrastructure that could have allowed attackers to steal data or tamper with client files.

On September 20, Wiz security researcher Elad Gabay publicly disclosed the security flaw, found in June following an examination of Oracle Cloud Infrastructure (OCI).

Dubbed #AttachMe, the “major” bug centers on one problem: a lack of permissions protection when attaching volumes to OCI.

Attack path

An attack would begin with the use of a target’s unique identifier, their cloud environment ID (OCID), which could be found via publicly available information or a low-privilege account.

A threat actor would then initiate an instance in an attacker-controlled tenant – located in the same availability domain (AD) as the target volume – before attaching the victim’s volume to the instance.

Read more of the latest cloud security news

OCI, by design, supports the attachment of a single volume to multiple instances simultaneously.

The lack of authorization checks would ensure the attacker had read/write privileges over the target volume, whether or not they had sufficient permissions.

As a result, it may have been possible for attackers to leverage this avenue to steal or modify information, search for cleartext secrets, or move laterally across the volume.

Worst-case scenario

In the worst-case scenario, attackers could potentially hijack an environment by manipulating binaries to achieve code execution.

“Before it was patched, #AttachMe could have allowed attackers to access and modify any other users’ OCI storage volumes without authorization, thereby violating cloud isolation,” Gabay said.

Wiz added that the vulnerability could have impacted all OCI customers or could have been used to target the infrastructure of individual client services.

The Wiz security team disclosed its findings to Oracle on June 9, three days after discovery.

Oracle acknowledged the security report on June 10, and it was on the same day that the vulnerability was confirmed and fixed. No OCI customer action is required.

Catch up with the latest cybersecurity vulnerability news

Speaking to The Daily Swig, Wiz researcher Sagi Tzadik said that the real-world ramifications of the vulnerability, if not patched so rapidly by oracle, could have been quite severe.

“This could lead to severe sensitive data leakage for potentially all OCI customers and in some scenarios could even be exploited to gain remote code execution on their environment, providing an initial entry point for further movement in the victim’s cloud environment,” he commented.

“While OCIDs are generally private, they are not treated as secrets. It is relatively feasible to obtain these IDs from a quick GitHub or Google search.”

Oracle declined to comment, but thanked Gabay in the firm’s July 2022 Critical Patch Update notes.

“Insufficient validation of user permissions is a common bug class among cloud service providers,” Wiz added.

“The best way to identify such issues is by performing rigorous code reviews and comprehensive tests for each sensitive API in the development stage. We also recommend performing service-specific penetration tests and participating in bug bounty programs, as these have proven effective with these types of issues.”

DON’T MISS Tarfile path traversal bug from 2007 still present in 350k open source repos