An Oracle Cloud Infrastructure (OCI) flaw that enables attackers to alter customers’ storage volumes without their consent has been disclosed by cloud security firm Wiz. The vulnerability, also known as #AttachMe, was noted in Oracle’s July 2022 Critical Patch Update and might have made sensitive information available to attackers who knew the victim’s Oracle Cloud Identifier (OCID).
“OCI customers could have been targeted by an attacker with knowledge of #AttachMe. Any unattached storage volume, or attached storage volumes allowing multi-attachment, could have been read from or written to as long as an attacker had its Oracle Cloud Identifier (OCID),” explains Wiz security’s researcher Elad Gabay.
In essence, this flaw rendered cloud isolation in OCI useless, enabling anybody to link disks to virtual machines in other accounts without authorization. An attacker might take advantage of the security flaw by obtaining the victim’s OCID and launching a compute instance on a tenant that is part of the same availability domain as the target volume.
Following the attachment of a volume, the attacker might then choose the victim’s volume to obtain access and read/write to it. The security researcher notes that the target volume must be either removed or connected as shared. In addition to the ability to exfiltrate private information or steal credentials for lateral movement, this kind of access might allow an attacker to alter block volumes and boot volumes to obtain access to code execution capabilities.
Gabay notes that the problem allowed this attach procedure to be carried out without any authorization since it prevented the checking of write rights when attaching a disk. If this flaw had been successfully exploited, an attacker would have been able to query all accessible volumes, get their OCIDs, and then access the data they contained.
Wiz believes that #AttachMe might have been readily abused for privilege escalation inside the same compartment or tenancy and cross-tenant access because OCIDs are not often regarded as secrets and can be accessed via web searches. Oracle fixed the flaw one day after Wiz disclosed the vulnerability in June. Gabay’s work was acknowledged in the tech titan’s July 2022 Critical Patch Update advisory.