A significant vulnerability in all Red Hat Enterprise Linux, or RHEL, machines in Microsoft Azure was recently...
discovered by software engineer Ian Duffy, which raised questions about access management for cloud environments.
While configuring his own RHEL virtual machine in Azure, Duffy noticed an installation script that Microsoft used to apply configuration settings to each Red Hat host. These installation scripts exposed the hostnames and IP addresses of four appliances that Azure uses to push RHEL updates. These appliances are implemented within Azure to remove the need for individual Red Hat installations to connect to servers outside of Azure for updates.
Duffy also discovered a web application running on the build server that exposed a page that stored logs for the server. Duffy was able to run the log process without logging in, which returned a number of URLs to the log files that were created.
From these results, the most important finding was an SSL certificate that could be used to gain full administrative level access over the four update appliances. As these servers pushed out updates to all RHEL virtual machines for all Azure customers, it was then possible to replace a legitimate system update with something malicious and to wait for each of the customer machines to request a system update. This malicious update could be configured to grant the attacker access to each of the RHEL virtual machines that requested an update in Azure. This could expose huge amounts of customer data.
This was possible because the servers do not use a validation process called GNU Privacy Guard validation to ensure that no one alters or tampers with an update.
A second vulnerability
Duffy also exposed a second vulnerability that allowed access to administrator API keys due to poor configuration of a standard file called WALinuxAgent, which is installed on RHEL Azure machines with the Linux Diagnostic Extension. These API keys were used to send debug logs to the storage account associated with the virtual machine. However, this API key could also potentially be used to download virtual hard disks for other RHEL machines. This could be used to compromise customer data, but is limited to virtual hard disks on the same storage account as the attacker.
The vulnerability was responsibly reported to Microsoft via its bug bounty program. Microsoft locked down access to the build and update servers and changed all relevant keys and SSL certificates to ensure that the vulnerability was fixed. There is no evidence that the vulnerability was exploited by other parties prior to its discovery.
Although this RHEL virtual machine issue was within Microsoft Azure and, therefore, should have been prevented by its security processes, this incident should serve as a reminder to IT administrators that using cloud infrastructure does not mean that all responsibility for security should be absolved to the cloud provider. Where possible, the same processes that are applied to the security of infrastructure on your own premises should be applied to cloud-hosted infrastructure.
Find out how to choose the best Linux distributions for your enterprise
Learn the difference between the web role and the worker role in Azure
Discover the right choice for Red Hat virtualization