A new vulnerability in Oracle Cloud Infrastructure (OCI) dubbed AttachMe would allow unauthorized access to cloud storage volumes of all users, hence violating cloud isolation.
Oracle said that within 24 hours of being informed Oracle patched the flaw for all OCI customers without any customer action required. But before it was patched, all OCI customers could have been targeted by an attacker with knowledge of the vulnerability.
Any unattached storage volume, or attached storage volumes allowing multi–attachment, could have been read from or written to as long as an attacker had its Oracle Cloud Identifier (OCID), allowing sensitive data to be exfiltrated or more destructive attacks to be initiated by executable file manipulation. This also could lead to a threat actor is aware of this flaw including privilege escalation and cross–tenant access.
Potential Risk
- Privilege escalation within the Compartment or Tenancy
- Cross-tenant access
Cloud tenant isolation is a key element in the cloud. Customers expect that their data isn’t accessible to other customers. Yet, cloud isolation vulnerabilities break the walls between tenants.
This highlights the crucial importance of proactive cloud vulnerability research, responsible disclosure, and public tracking of cloud vulnerabilities to cloud security.
Vulnerability timeline
- June 6th, 2022—Wiz discovers the vulnerability
- June 9th, 2022—Vulnerability reported to Oracle
- June 10th, 2022—Oracle acknowledges report
- June 10th, 2022—The vulnerability is fixed
This research was documented by researchers from Wiz Engineers
