Oracle Cloud admits users could access other customer data

By Scott Marlette Last updated Sep 21, 2022

A vulnerability in Oracle Cloud Infrastructure (OCI) could have allowed basically any user to read and write data belonging to any other OCI customer, researchers have claimed.

Experts from cloud security firm Wiz said they stumbled upon the vulnerability when building an OCI connector for their own tech stack, discovering that they could attach other people’s virtual disks to their virtual machine instances. The only thing they’d need is that other person’s storage (opens in new tab) volume Oracle Cloud Identifier, and that the other person’s volume supported multi-attachment (or wasn’t already attached).

With all these things aligned, a potential threat actor would be able to access any sensitive information found on the volume – and to make matters worse, they’d also be able to write over it.

Code execution

Describing the findings in a blog post (opens in new tab), Wiz’s Elad Gabay said the flaw “could be used to manipulate any data on the volume, including the operating system runtime (by modifying binaries, for example), thus gaining code execution over the remote compute instance and a foothold in the victim’s cloud (opens in new tab) environment, once the volume is used to boot a machine.”

Oracle moved quickly to remedy the vulnerability. After learning of the flaw, it fixed it within 24 hours, Gabay further stated, with no additional action was needed from the customers.

The Register spotted a Twitter thread by Wiz’s head of research, Shir Tamari, in which it was explained that the key problem lay in the lack of permissions verification in the AttachVolume API.

What we don’t know is whether or not anyone managed to abuse the flaw while it was active, and if they did, was it just to steal data, or to distribute malware, or even ransomware. So far, there is no evidence that something like that happened. We’ve reached out to Oracle, whose representatives said the company would not be commenting.

Via: The Register (opens in new tab)

For all the latest Technology News Click Here

For the latest news and updates, follow us on Google News.

Read original article here

Denial of responsibility! TechNewsBoy.com is an automatic aggregator around the global media. All the content are available free on Internet. We have just arranged it in one platform for educational purpose only. In each content, the hyperlink to the primary source is specified. All trademarks belong to their rightful owners, all materials to their authors. If you are the owner of the content and do not want us to publish your materials on our website, please contact us by email – [email protected]. The content will be deleted within 24 hours.