It appears that Oracle has fixed a vulnerability seen in its cloud infrastructure. Without such timely action, the exposure was capable of causing severe destruction. The probable consequences include theft of essential data or compromising important client files.
The flaw in the OCI, the Oracle Cloud Infrastructure, was detected in June after an inspection. The public was made aware of the defect on 20th September. Oracle further confirms that the flaw was fixed at the earliest.
Called #AttachMe, the vulnerability centers on the absence of permissions protection while attaching volumes to the cloud.
The OCI has been designed to support single-volume attachments to multiple instances simultaneously.
“Before it was patched, #AttachMe could have allowed attackers to access and modify other users’ OCI storage volumes without authorization, thereby violating cloud isolation. The vulnerability could have impacted all OCI customers or could have been used to target the infrastructure of individual client services”, informs Elad Gabay, researcher, Wiz security.
An absence of authorization checks in the OCI would mean that the intruder had written/read the privileges with respect to the standard volume. This would be regardless of sufficient permissions. The most probable impact would have been attackers taking advantage of this avenue to alter or steal this information. They may also look for cleartext secrets. Besides, the attackers could leverage the flaw to function laterally across the volume.
“This (the vulnerability if left unattended) could lead to severe sensitive data leakage for potentially all OCI customers and in some scenarios could even be exploited to gain remote code execution on their environment, providing an initial entry point for further movement in the victim’s cloud environment. While OCIDs are generally private, they are not treated as secrets. It is relatively feasible to obtain these IDs from a quick GitHub or Google search.” This is the opinion of Sagi Tzadik, another researcher Wiz security.