Site icon The Cybersecurity Daily News

Critical Vulnerability in Oracle Cloud Infrastructure Revealed by Researchers

Oracle Cloud Infrastructure Vulnerability

A new, serious Oracle Cloud Infrastructure (OCI) vulnerability has been revealed that users could utilize to get access to the virtual discs of other Oracle clients.

Shir Tamari, chief of research at Wiz, stated in a series of tweets that “each virtual disc in Oracle’s cloud has a unique identification called OCID”. “Organizations do not treat this identification as a secret, and it is not thought to be secret.”

A victim’s disc that is not actively connected to an active server or set up as shareable could allow an attacker to ‘attach’ to it. And gain read/write access, according to Tamari.

The tenant isolation vulnerability is known as “AttachMe” by the cloud security company. The company patched the same on June 9, 2022, within 24 hours after responsible disclosure.

Accessing a volume using the CLI without sufficient permissions

The cause of Vulnerability is the possibility of a disc being unintentionally joined to a compute instance in another account using the Oracle Cloud Identifier (OCID).

An attacker who had access to the OCID might have used AttachMe to acquire access. For any storage volume, exposing data, allowing for data exfiltration, or even worse. Altering boot volumes to allow for code execution.

The Execution

To execute the attack, the adversary’s instance must be in the same Availability Domain (AD) as the target. The OCID of the target volume.

According to Elad Gabay, a researcher at Wiz, “insufficient user permissions validation is a widespread problem class among cloud service providers”. The best method to spot such problems is to conduct thorough tests for each critical API. In the development phase, along with thorough code reviews.

Nearly five months after Microsoft fixed two problems that might have led to illegal cross-account database access. In a region using the Azure Database for PostgreSQL Flexible Server, the findings have just been made public.


Exit mobile version