Hackers could target cloud storage volumes via a new vulnerability reported in the Oracle Cloud Infrastructure (OCI). The vulnerability dubbed ‘AttachMe’ was discovered and reported by security researchers at Wiz in June.
Upon receiving the notification by Wiz, the American multinational technology company patched the flaw with a new security update. The update was addressed to OCI clients and didn’t require any action from the customers.
OCI vulnerability report
Prior to the company’s security update, Wiz’s senior software engineer Elad Gabay claimed that before the patch was released, the hackers could have targeted Oracle customers if they knew about the open vulnerability.
According to Wiz security experts, the vulnerability was mainly targeted toward the Oracle Cloud Identifier (OCID). If any unattached storage volume enabled multi-attachment, a third party could read the data as long as they had access to its OCID. According to Gabay, this allowed sensitive data to be exfiltrated, or a more severe attack could have been launched by manipulating the executable file.
Moreover, Wiz reported that any hacker group or individuals who would have known about the vulnerability could have launched an attack using privilege escalation and cross–tenant access.
The cloud security company stated that these attack paths are reasonably achievable because OCIDs on cloud storage platforms are generally not treated as passwords or security credentials. Numerous companies and cloud platforms use OCIDs, and one can find those using a simple internet search.
Cloud tenant isolation
Cloud tenant isolation is a crucial part of every SaaS provider. It defines an architecture that prevents unauthorized access from one tenant to others. It limits and keeps a check on tenants interfering with each other’s resources in a SaaS environment.
The Oracle Cloud Infrastructure vulnerability shows how important Cloud tenant isolation is within a Cloud environment. To protect customers on Cloud, one must understand the vulnerability of resources and the need of public tracking of cloud vulnerabilities.
To address the issue, the company released technical documentation on Wiz on September 20, 2022, which lay down all the steps and reports about the ‘AttachMe’ cloud vulnerability and a demo troubleshooting guide to fix it.