Wiz security researcher Elad Gabay reported that they discovered a critical vulnerability in the Oracle Cloud Infrastructure (OCI), which a customer may have exploited to read/write another customer’s data on the same platform without permission.
This means the vulnerability could allow any Oracle customer unauthorized access to the Cloud storage data of another customer.
The good news is that when Wiz researchers notified Oracle about the bug, the IT firm fixed it within 24 hours. The even better news is that customers don’t need to do anything regarding the fix.
Vulnerability Analysis.
Dubbed AttachMe by researchers, the vulnerability is one of the best examples of cloud isolation vulnerabilities and how threat actors can exploit the flaws to gain unauthorized access to someone else’s data.
The vulnerability, according to Wiz’s blog post, was discovered by Wiz in June 2022 and was regarded as one of the severest cloud vulnerabilities that could impact all OCI customers and violate cloud storage’s most significant pledge of customer data safety.
Exploiting the Vulnerability.
Gabay said the flaw was exploitable if the threat actor knew the Oracle Cloud Identifier for a customer’s storage volume. Since this identified isn’t confidential data, it was possible to attach that volume to the actor’s virtual machine in Oracle’s cloud if the volume was not attached already or supported multiple attachments.
Therefore, all the attacker needed was the identifier to attach a volume and access the storage volume, including the target user’s sensitive data. Perhaps the flaw emerged because Oracle Infrastructure didn’t verify permission for linking the storage, which caused the issue.
After hijacking someone’s cloud storage, a threat actor could perform several destructive acts, such as leaking sensitive data, altering code, and gaining privilege escalation. Nevertheless, since the vulnerability has been fixed, users should not be worried.