‘Severe’ Oracle Cloud Infrastructure Vulnerability Found, Fixed: Wiz

Oracle quickly fixed the problem before it could be exploited by attackers to access customers’ data

Cybersecurity firm Wiz disclosed Tuesday that it discovered yet another major vulnerability within a popular cloud-storage environment.

After identifying multiple security vulnerabilities in Microsoft’s heavily used Azure cloud services, Wiz researchers are now saying they recently found a “critical vulnerability” in the Oracle Cloud Infrastructure (OCI) that could have allowed “unauthorized access to cloud storage volumes of any customer.”

First discovered in June and quickly fixed within 24 hours by Oracle, the vulnerability was “one of the most severe cloud vulnerabilities reported since it could have impacted all OCI customers,” according to a blog entry posted on Tuesday by Wiz.

Called ‘#AttachMe’ by researchers, the vulnerability violated one of the most important promises of cloud storage – that a customer’s data is safe from prying eyes, according to Wiz.

“Cloud tenant isolation is a key element in cloud,” says the blog post written by Elad Gabay, a software engineer at Wiz. “Customers expect that their data isn’t accessible by other customers. Yet, cloud isolation vulnerabilities break the walls between tenants.”

Gabay added in his post: “Before it was patched, #AttachMe could have allowed attackers to access and modify any other users‘ OCI storage volumes without authorization, thereby violating cloud isolation.”

In his post, Gabay said that “thankfully” Oracle officials responded “extraordinarily quickly” when Wiz disclosed its findings in June.

Ironically, the New York-based Wiz discovered the major vulnerability as it was integrating its cloud-security technology with OCI, after the two companies had entered into a partnership that made Wiz available on Oracle Cloud Marketplace, company officials said.

Representatives from Oracle could not be reached for comment.

In an interview with CRN, Shir Tamari, head of research at Wiz, said the cloud in general remains the “ most secure option for companies” looking to store data, compared to on-premise storage.

But he said research by Wiz and others has shown that the cloud indeed has its share of vulnerabilities.

The “cloud isolation problem” is starting to be seen “across multiple cloud providers,” Tarmari said.

“Cloud isolation is one of the most fundamental promises of the cloud, that one customer will not be able to access the data of another customer,” he said.

And yet that’s exactly what Wiz has proven was possible with both Microsoft Azure and now with OCI.

In Tuesday’s blog about #AttachMe, Wiz’s Gabay wrote that Wiz engineers found that “attaching a disk to a VM in another account didn’t require any permissions.”

The post added: “This means a potential attacker could have accessed and modified data from any OCI customer, and in some cases even take over the environment.”

Once in a victim’s account, a potential hacker could have performed a number of damaging actions, among them the leaking of sensitive data, escalating privileges and manipulating code.