In terms of delivering public cloud services, an Azure customer recently taught Microsoft a lesson in running a tight ship.
Ian Duffy, a software engineer at online retailer Zalando, had set out to create a secure, custom Red Hat Enterprise Linux (RHEL) machine image that could run on both Amazon Web Services (AWS) and Microsoft Azure. During the process, he discovered a vulnerability that could have provided an attacker root access to virtual machines.
Duffy managed to obtain “administrator level access to all of the Microsoft Azure-managed Red Hat Update Infrastructure that supplies all the packages for all Red Hat Enterprise Linux instances booted from the Azure marketplace,” he wrote in a blog post detailing the flaw.
In theory, an attacker could have tracked down the Red Hat Update Appliance that is responsible for managing and distributing RHEL updates for each Azure region and gain administrative access to the Red Hat Enterprise Linux Appliance Representational State Transfer API. From there, it would have been possible to upload an altered package granting an attacker access to client virtual machines than ran the update.
And attackers are always on the lookout for cloud vulnerabilities.
Recently, security firm Rapid7 deployed honeypots on the major clouds, including AWS, Azure, Google, Rackspace and IBM SoftLayer. Dubbed the Project Heisenberg Cloud, the effort uncovered a frequent scanning of port 443 (HTTPS) on Google’s cloud and scanning for signs of the Mirai Internet of Things (IoT) botnet across all cloud providers.
The Azure RHEL flaw is an example of the security gap that exists between private data centers and public clouds, said Roy Feintuch, CTO and co-founder of cloud security specialist Dome9. He warns that organizations should be mindful of adapting on-premises IT systems for public cloud consumption.
Feintuch told eWEEK that the “vulnerability around how Microsoft Azure handles RHEL updates shows how things can go very wrong when private appliances meant for internal use become accessible to the public,” via email. “Well planned and executed access control is key to preventing such vulnerabilities and containing their impact.”
In short, don’t take security for granted, advised Feintuch.
“Security needs to be designed under the assumption that software is susceptible to bugs and misconfigurations, and that private services exposed to the public will get hacked eventually,” he continued. “With the proper tools that allow organizations to visualize, evaluate and enforce the exposure level of each service they deploy, such risks can be mitigated.”
The RHEL flaw was quickly remedied after Duffy reported the issue to Microsoft Online Services Bug Bounty program.
“Microsoft agreed it was a vulnerability in their systems. Immediate action was taken to prevent public access to rhui-monitor.cloudapp.net,” the application that supplied file archives, including logs, configuration files and SSL certificates, of the affected servers. “Additionally, they eventually prevented public access to the Red Hat Update Appliances and they claim to have rotated all secrets,” he added.