Oracle cloud bug allowed accessing other users’ virtual disks
Severe Oracle cloud vulnerability allowed researchers to access Oracle’s virtual disk that did not belong to them.
The severe Oracle Cloud Infrastructure (OCI) flaw, dubbed #AttachMe, was discovered by researchers at security firm Wiz. According to Shir Tamari, the head of Wiz’s research, not only could attackers access the virtual drive but also write over it.
“When trying to attach to another OCI user’s virtual disk, we were surprised to find the operation succeeded! We received read/write access to disks in another account that does not belong to us,” Tamari said in a Tweet.
He explained that each virtual disk in Oracle’s cloud has a unique identifier that no one considers secret. However, an attacker with the identifier could access the virtual disk, given it was not attached to an active server at the time of the attack.
The root cause of the flaw, Tamari said, was the lack of permission verification in one of the application programming interfaces (API).
While Oracle fixed the flaw the same day Wiz reported, Tamari noted that this was the first time he encountered a cross-tenant vulnerability in a cloud service provider’s infrastructure.
“Customers expect that their data isn’t accessible by other customers. Yet, cloud isolation vulnerabilities break the walls between tenants. This highlights the crucial importance of proactive cloud vulnerability research […],” reads Wiz’s blog post.
The disclosure comes a month after another company from the Oracle family, the data broker Oracle America, has been served with a class-action lawsuit over alleged privacy violations.
The lawsuit accuses the company of selling “detailed personal information to third parties” both directly and via its ID Graph function, “a service product designed to provide ‘identity resolution,’ the process of ‘matching individual customer identities and combining them into a single consistent and accurate customer profile.’”
Resource : https://cybernews.com/news/oracle-cloud-bug-allowed-accessing-other-users-virtual-disks/