Oracle Cloud admits users could access other customer data
Lack of permissions verification in the AttachVolume API caused a lot of trouble
When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.
A vulnerability in Oracle Cloud Infrastructure (OCI) could have allowed basically any user to read and write data belonging to any other OCI customer, researchers have claimed.
Experts from cloud security firm Wiz said they stumbled upon the vulnerability when building an OCI connector for their own tech stack, discovering that they could attach other people’s virtual disks to their virtual machine instances.
Best cloud storage: Expand your storage easilyBest cloud backup: Protect your data on the goBest cloud storage for photos: Space for your photosBest business cloud storage: Data resilience for businessBest free cloud storage: Bits and bytes online for free
The only thing they’d need is that other person’s storage volume Oracle Cloud Identifier, and that the other person’s volume supported multi-attachment (or wasn’t already attached).
With all these things aligned, a potential threat actor would be able to access any sensitive information found on the volume - and to make matters worse, they’d also be able to write over it.
Code execution
Describing the findings in ablog post, Wiz’s Elad Gabay said the flaw “could be used to manipulate any data on the volume, including theoperating systemruntime (by modifying binaries, for example), thus gaining code execution over the remote compute instance and a foothold in the victim’s cloud environment, once the volume is used to boot a machine.”
Oracle moved quickly to remedy the vulnerability. After learning of the flaw, it fixed it within 24 hours, Gabay further stated, with no additional action was needed from the customers.
The Registerspotted a Twitter thread by Wiz’s head of research, Shir Tamari, in which it was explained that the key problem lay in the lack of permissions verification in the AttachVolume API.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
What we don’t know is whether or not anyone managed to abuse the flaw while it was active, and if they did, was it just to steal data, or to distribute malware, or even ransomware. So far, there is no evidence that something like that happened. We’ve reached out to Oracle, whose representatives said the company would not be commenting.
Via:The Register
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.
Cisco issues patch to fix serious flaw allowing possible industrial systems takeover
7 myths about email security everyone should stop believing
Lego will let you build Sir Ernest Shackleton’s iconic lost ship, the Endurance, in its next Icons set
