Which security issue CANNOT be identified using Oracle Cloud Infrastructure
In June, Wiz engineers discovered and reported #AttachMe, a major cloud isolation vulnerability in Oracle Cloud Infrastructure (OCI), prompting Oracle to patch the vulnerability within hours and without requiring customer action. Show
What is AttachMe?#AttachMe is one of the most severe cloud vulnerabilities reported since it could have impacted all OCI customers. Cloud isolation vulnerabilities usually impact a specific cloud service. However, in this case, the impact is related to a core cloud service. Wiz engineers found that attaching a disk to a VM in another account didn’t require any permissions. This means a potential attacker could have accessed and modified data from any OCI customer, and in some cases could have even taken over the environment. The potential attack flow was simple:
From there, a potential attacker could have performed numerous serious actions:
Oracle responded extraordinarily quickly when Wiz responsibly disclosed its discovery of #AttachMe. As an Oracle partner and customer, Wiz appreciates Oracle’s collaboration and rapid attention to this issue. Oracle thanked Wiz for discovering this vulnerability as part of its July 2022 Critical Patch Update Advisory. How Wiz discovered AttachMeWhile building the OCI connector for Wiz, our software engineers noticed that it was possible to attach almost all block volumes and boot volumes to a compute instance, given their Oracle Cloud Identifier (OCID), without explicit authorization. After more testing, we realized that this was even possible when the volume and compute instance resided in different OCI tenancies! This meant that an attacker could gain access to a volume in another tenant (as long as they knew the OCID), and whoever owned the volume (the victim) would be totally unaware that someone else had read/write access to their data, since the compute instance and attachment would be in the attacker’s tenancy. Background - what are volumes in OCI?As described in the OCI documentation, a volume is a virtual disk that provides persistent storage space for compute instances. There are two types of volumes in OCI:
OCI supports multi-attachment of block volumes, meaning you can attach a single volume to multiple instances at the same time using the shareable feature with read/write or read only permissions. Attaching a boot or block volume to a compute instance from the CLI is straightforward, requiring only the volume and instance IDs:
Based on the policy reference, the required permissions for AttachVolume are Volume attachment is an OCI resource that resides in the compute instance’s compartment and describes an attachment of a volume to a compute instance. Permissions are applied to a compartment (and its compartment tree). Therefore, However, as we discovered, there was a gap in the validation of the DemoWhen an unauthorized user attempts to perform any operation on a volume, the service (correctly) returns an error indicating the user lacks the required permissions:
Figure 1: Attempting to access a volume using the CLI without sufficient permissions However, before #AttachMe was remediated, attempting to attach a volume to a compute instance succeeded whether the user had sufficient permissions or not:
Figure 2: Successfully attaching the same volume that we did not have permissions to access Once the volume was attached, we could view and modify its content. The detailed requirements to exploit #AttachMe were:
Risk AnalysisWhen an attacker gains read access to your volumes, the main risk is data breach. Volumes may contain sensitive information such as Personally Identifying Information (PII), secrets, and more. Another risk is data manipulation and intrusion into your cloud network. Attaching a volume provides write access that could be used to manipulate any data on the volume, including the operating system runtime (by modifying binaries, for example), thus gaining code execution over the remote compute instance and a foothold in the victim's cloud environment, once the volume is used to boot a machine. The potential attack paths include:
We consider both potential attack paths quite feasible given that OCIDs are generally not treated as secrets. Numerous OCIDs of both block volumes and boot volumes of various environments, including those of major companies, can be found via a simple online search. Figure 3: OCI volume identifier (OCID) found in one of Oracle’s public GitHub projects It is also possible to find OCIDs of volumes that were published on GitHub, indicating that these IDs are indeed not treated as secrets by developers. Low-privileged users and third-party vendors with read access to the environment could obtain OCIDs very easily. Discovery and disclosure timelineUpon discovering #AttachMe, we immediately disclosed our findings to Oracle, who investigated and fixed this issue in less than 24 hours. We were happy to collaborate with such a professional team.
Lessons for cloud builders and cloud defendersInsufficient validation of user permissions is a common bug class among cloud service providers. The best way to identify such issues is by performing rigorous code reviews and comprehensive tests for each sensitive API in the development stage. Oracle shared with us that they use static code analysis technology to detect such problems already in development and investigate known and reported issues to ensure the problematic pattern does not recur elsewhere in the codebase. We also recommend performing service-specific penetration tests and participating in bug bounty programs, as these have proven effective with these types of issues. Which security service is offered by Oracle cloud infrastructure?Oracle Cloud Infrastructure Web Application Firewall (WAF) is a cloud-based, Payment Card Industry (PCI) compliant, security service that protects applications from malicious and unwanted internet traffic. WAF can protect any internet-facing endpoint, providing consistent rule enforcement across your applications.
Which three are capabilities of Oracle cloud infrastructure?Oracle Cloud Infrastructure Data Catalog includes capabilities to collaboratively define business terms in rich text form, categorize them appropriately, and build a hierarchy to organize this vocabulary.
What are the disadvantages of Oracle cloud?Some of the cons of Oracle are that its integration with other tools it's not simple. This platform takes time to get used to because it is complicated to navigate. Oracle Cloud is also focused on high-end, so what it offers to low-end can be quite limited.
Which three are Oracle's responsibilities in the shared security model in Oracle cloud infrastructure?Oracle is responsible for providing effective IAM services such as identity management, authentication, authorization, and auditing.
|