Thousands of Cloud Computing Servers Could Be Owned With ‘Very Simple’ Attack, Researchers Say – VICE

Cloud computing is often touted for its security benefits: its assumed that a company that hosts hundreds of servers for customers has superior skills and resources to secure data on those servers than the individual owners of that data. When a security breach happens in cloud computing, its usually the fault of the data owner who misconfigured their leased cloud server and not the cloud provider.

But researchers in Australia recently found a vulnerability in a cloud-management system used by thousands of cloud-service providers that potentially opened thousands of servers to attack through no fault of customers or their cloud-service provider.

The critical vulnerabilityin OnApp, one of the top cloud-computing management platforms used by thousands of cloud-hosting services around the worldwould allow an attacker to seize control of all servers managed by a cloud provider if he or she has access to just one of those serversfor example, by simply renting space on a server from the same provider, according to the Australian security firm Skylight Cyber, which discovered the issue. The vulnerability would let an attacker steal, corrupt, or delete data belonging to other customers, or encrypt the data to prevent owners of the data from accessing it, all while hiding the identity of the attacker.

Thats because the vulnerability allows the attacker to gain access to those servers using the top-level administrative credentials and privileges of the cloud provider.

This is not just a data leak, CEO of Skylight Cyber Adi Ashkenazy said. You have root access to those servers, so you could install malware, run ransomware, whatever you would like.... Its a horrific mistake. I shouldn't be able to use their authentication.

If data on the servers has been encrypted by the owners of that data, an attacker would at the very least be able to encrypt the data again with the hackers own key, preventing the owner from accessing the data on that server.

Since many cloud providers offer free trial accounts that only require an email address to sign up, an attacker wouldnt have to provide any identifying details to gain access to the first server to launch an attack.

OnApp is a London-based cloud management platform for hosting providers to manage fleets of cloud servers leased by government agencies and small and large commercial companies. Its been called the most popular cloud platform youve probably never heard of, and, according to the company, at least one in three public clouds use its platform, including VPS.net, which has 10,000 customers in more than 180 countries, according to its website. The researchers said they tested the vulnerability across two different cloud providers to verify that it worked, including VSP.net.

OnApp acknowledged the problem and has issued patches for the software, though the researchers say not all customers have applied them. OnApp declined to discuss with Motherboard how many customers hadnt patched their system yet, but in its patch notes, the company warned that There are no feasible workarounds for this vulnerability, we strongly recommend to update.

The issue, outlined in an industry security notice, affects all versions of OnApp used for managing Xen- or KVM-based virtual servers. The company told Motherboard that it did not affect other versions of OnApp. OnApp wouldnt say exactly how many cloud-service providers and their customers were using the versions of their platform that had the vulnerability.

[A]nyone using XEN or KVM hypervisors was affected, Ashkenazy said. Only OnApp know what the percentage of customers using it represent.

The researchers discovered the vulnerability by chance when they opened an account at a cloud provider and noticed an SSH connection (a type of secure, encrypted connection between two systems) to their server from the cloud provider, using the providers private keys. They wondered if the same keys were used to access every server managed by the cloud-hosting provider and in the course of investigating this discovered that they could trigger the system to initiate an SSH connection to any other server operated by the provider using the providers keyswithout ever knowing the providers keysgiving them the same root access and privileges as the provider.

Its very simple. Anyone can do it, Ashkenazy said.

The flaw exists because the OnApp platform is configured to allow so-called agent forwarding with SSH connections. The agent forwarding feature allows a private key used to connect to one system to be used to make automated and authenticated connections to other systems. This would generally be used by an administrator to write scripts to configure and manage a lot of systems simultaneously instead of having to configure each system separately.

But the way it was configured in OnApp, it also allowed the researchers to use that SSH connection to issue a command that triggers a cloud-provider's authentication system to initiate connections to other servers using the private keys stored in the providers authentication system. The researchers said they tested the vulnerability across two different cloud providers to verify that it worked, including VSP.net.

The way agent forwarding works is when they connect to my server [using SSH], they have an open socket that allows me to forward authentication requests to their server, Ashkenazy told Motherboard. [T]heir server, with their credentials that I never get to see, opens a channel [to other servers], and I can send whats known as a key challenge and they answer it for me, which allows me root access to any other server that accepts those credentials.

Ashkenazy said there was no reason for OnApp to have enabled agent forwarding but speculated that the company may have used it for a legitimate purpose at one point, but forgot to disable it when deploying the platform to customers.

In any case, the company was immediately responsive when Ashkenazys team contacted it.

OnApp told Motherboard that in addition to issuing patches, the company contacted all of its customers by email and other means in June and again in July to provide instructions for patching their OnApp control panels and also offered to do the update for customers free of charge. But not all customers applied the patch or took the company up on its free offer.

OnApp praised Skylight Cyber for alerting it to the issue and for withholding the technical details for exploiting the vulnerability until it could alert customers.

What we would like to emphasize, however, is the value of ethical hacking and the importance of vendors remaining vigilant to and responding swiftly to issues like this when they arise, company spokesman Steve Fenton wrote in an email. Wed like to highlight the diligence of the team at Skylight throughout the disclosure process, too: they also played an important role in mitigating this issue by testing the methodology behind the fix before patches were released to our customers.

Read this article:

Thousands of Cloud Computing Servers Could Be Owned With 'Very Simple' Attack, Researchers Say - VICE