Wiz security researcher Elad Gabay reported that they discovered a critical vulnerability in the Oracle Cloud Infrastructure (OCI), which a customer may have exploited to read/write another customer’s data on the same platform without permission.
This means the vulnerability could allow any Oracle customer unauthorized access to the Cloud storage data of another customer.
The good news is that when Wiz researchers notified Oracle about the bug, the IT firm fixed it within 24 hours. The even better news is that customers don’t need to do anything regarding the fix.
Dubbed AttachMe by researchers, the vulnerability is one of the best examples of cloud isolation vulnerabilities and how threat actors can exploit the flaws to gain unauthorized access to someone else’s data.
The vulnerability, according to Wiz’s blog post, was discovered by Wiz in June 2022 and was regarded as one of the severest cloud vulnerabilities that could impact all OCI customers and violate cloud storage’s most significant pledge of customer data safety.
AttachMe is one of the most severe cloud vulnerabilities reported since it could have impacted all OCI customers. Cloud isolation vulnerabilities usually impact a specific cloud service. However, in this case, the impact is related to a core cloud service.Elad Gabay – Wix
- Attackers Exploit Oracle WebLogic Flaw to Mine $266K in Monero
- Oracle, Google, and Microsoft generated most vulnerabilities in 2021
- Oracle’s Point-of-service Division MICROS Suffers Massive Data Breach
- Hackers Use Malware To Steal Cisco, IBM and Oracle Certification Manager
Exploiting the Vulnerability
Gabay said the flaw was exploitable if the threat actor knew the Oracle Cloud Identifier for a customer’s storage volume. Since this identified isn’t confidential data, it was possible to attach that volume to the actor’s virtual machine in Oracle’s cloud if the volume was not attached already or supported multiple attachments.
Therefore, all the attacker needed was the identifier to attach a volume and access the storage volume, including the target user’s sensitive data. Perhaps the flaw emerged because Oracle Infrastructure didn’t verify permission for linking the storage, which caused the issue.
After hijacking someone’s cloud storage, a threat actor could perform several destructive acts, such as leaking sensitive data, altering code, and gaining privilege escalation. Nevertheless, since the vulnerability has been fixed, users should not be worried.
More Vulnerability News
- Critical WordPress plugin vulnerability allowed wiping databases
- Attackers exploiting Windows Installer vulnerability despite patching
- Critical Amazon Ring Vulnerability Could Expose Camera Recordings
- Attackers can Exploit Dirty Pipe Linux Vulnerability to Overwrite Data
- Rarible NFT Market Vulnerability Let Attackers to Transfer Crypto Assets