Because of the advantages it offers, cloud computing is considered a much safer environment for information stored on these servers. However, vulnerability testing specialists have discovered a security flaw in a cloud management system used by thousands of providers of these services that could expose information from thousands of system administrators.
The vulnerability
is present on OnApp, one of the most important cloud computing management
platforms, used by thousands of hosting services. If exploited, this
vulnerability would allow a threat actor to take control of all servers managed
by a cloud provider relatively easily (renting a space on a server from the same
provider, for example). In addition, this flaw would allow hackers to steal,
corrupt and even delete information belonging to other customers.
According to vulnerability testing specialists,
the vulnerability allows hackers to gain access to compromised servers using
login credentials with administrator privileges. “This is not a simple
information leak,” said Adi Ashkenazy, of security firm Skylight Cyber in
interview for the online platform VICE.
“Root access to servers means that hackers can install malware, distribute
ransomware or any other malicious activity”, adds the researcher.
In some cases the hackers might find that the
information stored on these servers has been encrypted by administrators.
However, this information could be re-encrypted by hackers using their own
keys, an equally disastrous scenario.
OnApp is a cloud management platform used by
government agencies, small businesses and even some large companies. Based on
company data itself, at least one in three public clouds use OnApp. Vulnerability
testing experts mention that the vulnerability was tested by two different
cloud providers, demonstrating that exploitation is possible.
The flaw affects all versions of OnApp used to
manage Xen or KMV-based virtual servers. The flaw was discovered incidentally
after investigators opened an account with a cloud provider and detected an SSH
connection to their server from the cloud provider, using the provider’s
private keys.
Trying to find out if the same keys were used
to access all servers managed by this provider, experts found that it was
possible to activate the system to initiate an SSH connection to any other
server operated by the company using the provider’s keys.
Simply put, experts were able to access any
server with administrator privileges without knowing the cloud provider’s keys.
“It’s really simple and anyone could do it,” the experts say.
Apparently the flaw exists because OnApp is
configured to allow “agent forwarding” using SSH connections. This
forwarding allows a private key to be used to make automated and authenticated
connections to another system. This is used to create scripts that will manage
multiple systems simultaneously rather than individually. The way OnApp was
configured allows you to use that SSH connection to send a command that
activates a cloud provider’s authentication system to initiate connections to
other servers using the provider keys.
Upon receiving the report, OnApp began working
on the software updates needed to fix the vulnerability, although it will take
a while for all users to update their deployments. Although OnApp did not
disclose any further details, it did stress that it is important to install the
patches, as there are no workarounds to mitigate the risk.
Vulnerability testing specialists at the
International Institute of Cyber Security (IICS) mention that the company’s
clients are being contacted by email to inform them about the situation and try
to make the extent of the vulnerability reduce as soon as possible by updating
exposed systems.
