AttachMe: critical OCI vulnerability allows unauthorized access to customer cloud storage volumes

Researchers have disclosed a new critical vulnerability that would allow users to access the virtual disks of other Oracle Cloud customers. Wiz researchers, a cloud security firm, discovered that each virtual disk in Oracle Cloud’s infrastructure has a unique identifier called OCID.

“This identifier is not considered secret, and organizations do not treat it as such”, according to Shir Tamari, Head of Research at Wiz.

Shir Tamari, Head of Research at Wiz

“Given the OCID of a victim’s disk that is not currently attached to an active server or configured as shareable, an attacker could ‘attach’ to it and obtain read/write over it,” Tamari added.

Wiz reported the vulnerability responsibly to Oracle, and Oracle patched the issue within 24 hours on June 9, 2022. Wiz has dubbed the vulnerability “AttachMe.”

Oracle command line interface displaying virtual disk vulnerability
Oracle Cloud command line interface demonstrating access to a volume without sufficient permissions.

“Insufficient validation of user permissions is a common bug class among cloud service providers,” Wiz researcher Elad Gabay said. “The best way to identify such issues is by performing rigorous code reviews and comprehensive tests for each sensitive API in the development stage.”

The vulnerability is considered critical, as a virtual disk could be attached to a compute instance from another account using the OCID without any authorization.

So long as the attacker’s instance is within the same Availability Domain as the intended target, the vulnerability could be exploited.

Oracle recommends all customers remain on actively supported versions and apply Critical Patch Updates without delay.


Discover more from Cybersecurity Careers Blog

Subscribe to get the latest posts sent to your email.