A flaw in Microsoft's Azure cloud platform could have been exploited by an attacker to gain admin rights to instances of Red Hat Enterprise Linux (RHEL) and storage accounts hosted on Azure.
The vulnerability was discovered by Irish software engineer Ian Duffy and reported to Microsoft as part of its bug bounty programme. Duffy discovered the glitch while working on a hardened RHEL image for use on both Amazon Web Services (AWS) and Microsoft Azure.
Part of the spec was that it should operate under a metered billing pricing model, consuming software updates from a local RHEL repository owned and managed by the cloud provider.
Both AWS and Azure utilise a deployment of Red Hat Update Infrastructure comprising the Red Hat Update Appliance and Content Delivery Network, to supply software updates for their regions. One copy of the Red Hat Update Appliance is created per region.
The clients ought to be isolated from the Red Hat Update Appliance but while AWS achieve this by requiring that an instance is booted from a machine image that contains the billing code, Azure did not have this safeguard.
Duffy noticed that some Red Hat Package Manager (RPM) files contained client configurations for each region. From this, he was able to discover the URLs of all regional Red Hat Update Appliances on Azure and obtain access to archives containing logfiles, configuration files and SSL certificates that could be used to gain full administrative access to Red Hat Update Appliances.
"It was possible to copy the SSL certificates from one instance to another and successfully authenticate. Additionally, if you duplicated a Red Hat Enterprise Linux virtual hard disk and created a new instance from it all billing association seemed to be lost but repository access was still available," wrote Duffy in his blog.
He continued: "Despite the application requiring username and password based authentication, It was possible to execute a run of their 'backend log collector' on a specified content delivery server. When the collector service completed the application supplied URLs to archives which contain multiple logs and configuration files from the servers."
It may also have been possible to access storage accounts, Duffy said.
"Given some poor implementation within the mandatory Microsoft Azure Linux Agent (WaLinuxAgent), one is able to obtain the administrator API keys to the storage account used by the virtual machine for debug log shipping purposes," he wrote.
"At the time of research, this storage account defaulted to one shared by multiple virtual machines. If the storage account was used by multiple virtual machines there is potential to download their virtual hard disks."
Microsoft has since taken action to prevent public access to the log monitoring application and the Red Hat Update Appliances.
It is not known whether the bug was ever exploited in the wild. μ
EE, O2, Vodafone, Three and Airspan open the bidding
Worried about data privacy? Here are several ways to secure your Facebook account