Researchers have disclosed a new critical vulnerability that would allow users to access the virtual disks of other Oracle Cloud customers. Wiz researchers, a cloud security firm, discovered that each virtual disk in Oracle Cloud’s infrastructure has a unique identifier called OCID.
“This identifier is not considered secret, and organizations do not treat it as such”, according to Shir Tamari, Head of Research at Wiz.
“Given the OCID of a victim’s disk that is not currently attached to an active server or configured as shareable, an attacker could ‘attach’ to it and obtain read/write over it,” Tamari added.
Wiz reported the vulnerability responsibly to Oracle, and Oracle patched the issue within 24 hours on June 9, 2022. Wiz has dubbed the vulnerability “AttachMe.”
“Insufficient validation of user permissions is a common bug class among cloud service providers,” Wiz researcher Elad Gabay said. “The best way to identify such issues is by performing rigorous code reviews and comprehensive tests for each sensitive API in the development stage.”
The vulnerability is considered critical, as a virtual disk could be attached to a compute instance from another account using the OCID without any authorization.
So long as the attacker’s instance is within the same Availability Domain as the intended target, the vulnerability could be exploited.
Oracle recommends all customers remain on actively supported versions and apply Critical Patch Updates without delay.
