Researchers on Tuesday reported that #AttachMe, a dangerous cloud isolation vulnerability in Oracle Cloud Infrastructure (OCI), was of grave concern because it could have been targeted by an attacker without authorization.
In a blog post, Wiz researchers said any unattached storage volume or attached storage volumes allowing multi-attachment could have been read from or written to as long as the attacker had the Oracle Cloud Identifier (OCID), which would have let sensitive data be exfiltrated or more destructive attacks initiated by executable file manipulation.
Wiz engineers discovered the vulnerability in June and within 24 hours of being informed by Wiz, Oracle patched #AttachMe for all OCI customers. No customer action was required.
What made the #AttachMe vulnerability so critical?
Jerrod Piker, competitive intelligence analyst at Deep Instinct, said the issue was that attackers could potentially exfiltrate or destroy sensitive data within OCI storage volumes without authorization. Piker said most vulnerabilities at least require some sort of privileged access to enact, while this one only required the attacker to know the OCID for the volume to do the damage.
Piker said the #AttachMe vulnerability stands unique from other cloud isolation vulnerabilities in that it was related to the core OCI cloud service. Pikder said what this means is that unattached storage volumes could have been attached by an attacker to a VM in another account without requiring any permissions. He said it’s extremely concerning because literally every OCI customer was a potential target.
“Oracle understood the severity of this vulnerability, and patched it within hours across the whole customer base, without requiring any action on the customer side,” Piker said. “While this is encouraging to see the rapid response from Oracle, it still causes concern for future cloud isolation vulnerabilities that may arise. The most important things to take action on are to lock down every cloud asset and resource with a least privilege model, and monitor and enforce access control to and activities related to all internet-facing cloud assets and information. There are many cloud security tools available to assist in these efforts, but the closer one can get to complete visibility of all user and resource activity the better.”
Mike Parkin, senior technical engineer at Vulcan Cyber, added while there’s no indication that threat actors ever exploited this, any vulnerability that allows unauthorized access to another user’s data is problematic. Parkin said in this case, any user in the Oracle Cloud Infrastructure could attach to any other user’s volume if its ID was known.
“How much damage could come from the access would depend on what was in the volume, but any unauthorized access should be considered a bad thing,” Parkin said. “Fortunately, Oracle patched this vulnerability across their OCI environment within 24 hours of its coming to light. As for what should be done to prevent related issues in the future, security and development teams need to keep a tighter rein on any information that could lead to unauthorized access. That includes information like Volume ID’s and other potentially revealing data that, while not vital secrets, should be treated as at least confidential information.”
Dan Benjamin, co-founder and CEO at Dig Security, considered the finding by the Wiz Security team very significant. Benjamin said cloud users must constantly put additional controls on their systems to protect data access across their environment. However, he said a vulnerability like this one means that even though they put in the right controls, they are at a risk of a data breach.
“Even though Oracle has already resolved the issue, the vulnerability is definitely as dangerous as the Wiz research team says and could have widespread impact across Oracle's cloud user base,” Benjamin said. “This is another example of security teams needing to patch quickly and patch often.”