Critical Vulnerability in Oracle Cloud Infrastructure Allowed Unauthorized Access

  • A new vulnerability in Oracle Cloud Infrastructure (OCI) would allow unauthorized access to cloud storage volumes of all users, hence violating cloud isolation.

    The flaw, discovered by secure cloud experts at Wiz in June and dubbed AttachMe, is now being discussed in a new advisory the company published today.

    The company said that within 24 hours of being informed by Wiz, Oracle patched the flaw for all OCI customers without any customer action required.

    However, in the technical write–up, Wiz senior software engineer Elad Gabay said that before it was patched, all OCI customers could have been targeted by an attacker with knowledge of the vulnerability.

    “Any unattached storage volume, or attached storage volumes allowing multi–attachment, could have been read from or written to as long as an attacker had its Oracle Cloud Identifier (OCID), allowing sensitive data to be exfiltrated or more destructive attacks to be initiated by executable file manipulation,” Gabay explained.

    According to the Wiz advisory, potential attacks resulting from a threat actor aware of this flaw included privilege escalation and cross–tenant access.

    “We consider both potential attack paths quite feasible given that OCIDs are generally not treated as secrets. Numerous OCIDs of both block volumes and boot volumes of various environments, including those of major companies, can be found via a simple online search.”

    According to the cloud security expert, the bug shows how crucial cloud tenant isolation is in any cloud infrastructure.

    “Customers expect that their data isn’t accessible by other customers. Yet, cloud isolation vulnerabilities break the walls between tenants,” Gabay said. “This highlights the crucial importance of proactive cloud vulnerability research, responsible disclosure, and public tracking of cloud vulnerabilities to cloud security.”

    More information about the patched Oracle vulnerability, including a technical demonstration, is available in Wiz’s technical post.

    The disclosure comes days after a report by Snyk revealed almost 80% of organizations suffered a “severe” cloud security incident over the course of the last 12 months.