#AttachMe Oracle Cloud Vulnerability

By Autumn Gamble on October 13, 2022

Executive Summary

On September 20, Wiz security researcher Elad Gabay publicly disclosed the security flaw, found in June of 2022 following an examination of Oracle Cloud Infrastructure (OCI). Dubbed #AttachMe by researchers, the vulnerability is one of the best examples of cloud isolation vulnerabilities and how threat actors can exploit the flaws to gain unauthorized access to someone else’s data [3]. Isolation of customer networks is a critical security function of the cloud, so when a vulnerability exist that allows attacker to move between customer networks it becomes critical. #AttachMe is one of the most severe cloud vulnerabilities reported since it could have impacted all Oracle Cloud Infrastructure (OCI) customers. Speaking to The Daily Swig, Wiz researcher Sagi Tzadik said that the real-world ramifications of the vulnerability could have been quite severe had they not been patched so quickly by Oracle. The vulnerability was present due to lack of permissions protections when attaching volumes to Oracle Cloud Infrastructure (OCI). Within 24 hours of being informed by Wiz, Oracle patched #AttachMe vulnerability for all Oracle Cloud Infrastructure (OCI) customers [1].

Background

Oracle Cloud Infrastructure (OCI) is a service that allows the user to build and run a wide range of applications [4]. An attack would begin with the use of a target’s unique identifier, their cloud environment ID (OCID), which could be found via publicly available information or a low-privilege account. A threat actor would then initiate an instance in an attacker-controlled tenant – located in the same availability domain (AD) as the target volume – before attaching the victim’s volume to the instance [2]. The lack of authorization checks would ensure the attacker had read/write privileges over the target volume, whether or not they had sufficient permissions. As a result, it may have been possible for attackers to leverage this avenue to steal or modify information, search for cleartext secrets, or move laterally across the volume. The Wiz security team disclosed its findings to Oracle on June 9, three days after discovery. Oracle acknowledged the security report on June 10, and it was on the same day that the vulnerability was confirmed and fixed. No Oracle Cloud Infrastructure (OCI) customer action is required [1].

Impact

There are 2,685 companies using Oracle Cloud. Some of these companies include Airbnb, adidas, Bank of America, Labcorp, Toyota, Fedex, Experian, and many more [5].  The lack of authorization checks would ensure the attacker had read/write privileges over the target volume, whether or not they had sufficient permissions. As a result, it may have been possible for attackers to leverage this avenue to steal or modify information, search for cleartext secrets, or move laterally across the volume. “This could lead to severe sensitive data leakage for potentially all Oracle Cloud Infrastructure (OCI) customers and in some scenarios could even be exploited to gain remote code execution on their environment, providing an initial entry point for further movement in the victim’s cloud environment” said Wiz researcher Sagi Tzadik [3].  a potential attacker could have performed numerous serious actions which include exfiltrate sensitive data stored on the volume, search the volume for cleartext secrets in order to move laterally through the victim’s environment and/or escalate privileges, and alter existing block volumes and boot volumes—e.g. by manipulating binaries—in order to gain code execution when the volumes were mounted on compute instances [1]. The impact of the vulnerability could have been severe if it was not patched so rapidly upon notification.

Conclusion

While this vulnerability could have been catastrophic,  it is important to know that oracle successfully completed a patch within 24 hours of the reported vulnerability. At this time users do not need to take any action. For a detailed explanation of how the vulnerability could have been exploited please visit https://www.wiz.io/blog/attachme-oracle-cloud-vulnerability-allows-unauthorized-cross-tenant-volume-access.

References

[1] E. Gabay, “Attachme: Critical OCI vulnerability allows unauthorized access to customer Cloud Storage Volumes: Wiz Blog,” wiz.io, 20-Sep-2022. [Online]. Available: https://www.wiz.io/blog/attachme-oracle-cloud-vulnerability-allows-unauthorized-cross-tenant-volume-access. [Accessed: 29-Sep-2022].

[2] C. Osborne, “#AttachMe Oracle Cloud bug exposed volumes to data theft, hijack,” The Daily Swig | Cybersecurity news and views, 23-Sep-2022. [Online]. Available: https://portswigger.net/daily-swig/attachme-oracle-cloud-bug-exposed-volumes-to-data-theft-hijack. [Accessed: 28-Sep-2022].

[3] Waqas, O. Sultan, and J. Hassan, “Attachme – oracle patches ‘severe’ vulnerability in its cloud infrastructure,” HackRead, 21-Sep-2022. [Online]. Available: https://www.hackread.com/oracle-attachme-vulnerability-cloud-infrastructure/. [Accessed: 29-Sep-2022].

[4] “Oracle Cloud Infrastructure Platform Overview,” Sep-2021. [Online]. Available: https://www.oracle.com/a/ocom/docs/cloud/oracle-cloud-infrastructure-platform-overview-wp.pdf. [Accessed: 30-Sep-2022].

[5] “Oracle Cloud Infrastructure Customer Success,” Oracle. [Online]. Available: https://www.oracle.com/cloud/customers/. [Accessed: 09-Oct-2022].