A new vulnerability in Oracle Cloud Infrastructure (OCI) could have allowed unauthorized access to cloud storage volumes of all users, thereby violating cloud isolation.
The security flaw, discovered by secure cloud experts at Wiz in June and dubbed AttachMe, is now being discussed in a new advisory the company published this week. According to Wix, the vulnerability is one of the most severe cloud vulnerabilities reported since it could have impacted all OCI customers.
The vulnerability was fixed within hours by Oracle, Wiz reports. No customer action was required. Before it was patched, all OCI customers could have been targeted by a threat actor. Any unattached storage volume, or attached storage volumes allowing multi-attachment, could have been read from or written to as long as an attacker had its Oracle Cloud Identifier (OCID), allowing sensitive data to be exfiltrated or more destructive attacks to be initiated by executable file manipulation.
Sounil Yu, Chief Information Security Officer at JupiterOne, explains, "Any cross-tenant vulnerability is particularly dangerous because it allows an attacker to undermine isolation among customers. Tenant isolation fits squarely in the cloud service provider's part of the shared responsibility model. As such, this class of vulnerability broadly affects all customers of the cloud service provider, thus making it far more dangerous than one that lies within the customer's part of the shared responsibility model."
Yu adds, "What is peculiar about the AttachMe vulnerability is that the design flaw is very basic and simple to check during testing. The security of the storage volume was based primarily on obscurity, which is not at all a reliable way to ensure proper tenant isolation."
In addition, the security vulnerability highlights the crucial importance of proactive cloud vulnerability research, responsible disclosure, and public tracking of cloud vulnerabilities to cloud security, Wiz says.
Today, there is no clear process around cloud vulnerabilities enforced by the security community, Wiz notes, and cloud vulnerabilities are typically not issues CVEs, making it hard for customers to track.
Researchers from Wiz and other cloud security community members initiated the Open Cloud Vulnerability & Security Issue Database to help close this security gap and, in turn, help cloud users and defenders monitor and track cloud vulnerabilities.