After identifying multiple security vulnerabilities in Microsoft’s heavily used Azure cloud services, Wiz researchers are now saying they recently found a “critical vulnerability” in the Oracle Cloud Infrastructure (OCI) that could have allowed “unauthorised access to cloud storage volumes of any customer.”
First discovered in June and quickly fixed within 24 hours by Oracle, the vulnerability was “one of the most severe cloud vulnerabilities reported since it could have impacted all OCI customers,” Wiz said.
Called ‘#AttachMe’ by researchers, the vulnerability violated one of the most important promises of cloud storage – that a customer’s data is safe from prying eyes, according to Wiz.
The #AttachMe vulnerability stems from OCI allowing attaching disks to virtual machines in another account not requiring permissions.
“This means a potential attacker could have accessed and modified data from any OCI customer, and in some cases even take over the environment," Wiz said.
Once in a victim’s account, a hacker could have performed a number of damaging actions, among them the leaking of sensitive data, escalating privileges and manipulating code.
“Cloud tenant isolation is a key element in cloud,” Elad Gabay, a software engineer at Wiz said.
“Customers expect that their data isn’t accessible by other customers."
Yet, cloud isolation vulnerabilities break the walls between tenants," Gabay added.
“Before it was patched, #AttachMe could have allowed attackers to access and modify any other users‘ OCI storage volumes without authorization, thereby violating cloud isolation,” Gabay continued.
Ironically, Wiz discovered the major vulnerability as it was integrating its cloud-security technology with OCI, after the two companies had entered into a partnership that made the security firm available on Oracle Cloud Marketplace, company officials said.
Representatives from Oracle could not be reached for comment.
In an interview with CRN, Shir Tamari, head of research at Wiz, said the cloud in general remains the “most secure option for companies” looking to store data, compared to on-premise storage.
But he said research by Wiz and others has shown that the cloud indeed has its share of vulnerabilities.
The “cloud isolation problem” is starting to be seen “across multiple cloud providers,” Tarmari said.
“Cloud isolation is one of the most fundamental promises of the cloud, that one customer will not be able to access the data of another customer,” he said.
And yet that’s exactly what Wiz has proven was possible with both Microsoft Azure and now with OCI.
