Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


03:15 PM
Connect Directly

Cloud Vulnerability Could Let One Server Compromise Thousands

A flaw in the OnApp cloud management platform could let an attacker compromise a private cloud with access to a single server.

A newly disclosed critical vulnerability in the OnApp cloud orchestration platform could let an attacker compromise an entire private cloud with access to a single server, researchers report.

The finding comes from researchers at security firm Skylight Cyber who say the flaw has the potential to affect hundreds of thousands of production servers and organizations around the world. OnApp is a London-based cloud management platform, one of the top firms that powers thousands of clouds for managed service providers, telcos, and other cloud hosting services.

Cloud security issues are common these days; however, we usually see them in the context of user misconfigurations and resulting accidental data leaks. In most cases, these mishaps are the user's fault. This particular flaw, located in a management system that thousands of providers use, could let an attacker access, steal, change, or eliminate data on a server through no fault of the user or provider.

OnApp's strategy for managing different servers in the cloud environment could allow attackers to achieve remote code execution (RCE) with root privileges. They simply need to rent a server — a simple process, and one that many companies require only an email address to do.

With that server, an attacker could compromise an entire private cloud due to the way OnApp manages different servers in the cloud environment, researchers explain in a technical blog post. Any user could trigger an SSH connection from OnApp to the managed server due to "agent forwarding," which lets an attacker relay authentication to any server in the same cloud.

The vulnerability affects all OnApp control panels managing Xen or KVM compute resources, OnApp says in a security advisory. It does not affect OnApp control panels that only manage VMware vCloud Director, VMware vCenter environments, or CDN-only control panels. The company has issued a patch for the flaw and says there are no feasible workarounds for this.

Researchers tested, confirmed, and replicated their methodology across multiple cloud vendors, using OnApp for Xen and KVM hypervisors. In fact, it worked for them on the first try.

How They Found It
Skylight began investigating this in May when alerted to hate messages targeting the campaign of an Australian federal parliament member running for office. Emails were disguised to appear as though they came from many Australian businesses; however, they came from a single source.

Analysis of the emails led to the discovery of several servers used to send them. It seems the attacker preferred to use a single hosting company, probably because it didn't require payment or ID to start a free 24-hour trial. Researchers decided to mimic the steps of the attacker and see if they left incriminating evidence. With nothing found, they hypothesized there could be a bug.

The researchers explored the control panel of the hosting company and saw there was an SSH connection between their server and the cloud provider. A public key had been pre-installed to access the server, prompting the team to wonder whether the management software was using the same key pair to manage every server. Researchers found this was the case, and they could launch an SSH connection to any server with the hosting company. They could do this even if they didn't have the private key, which granted the same level of root access the provider had.

Agent forwarding made this possible. A feature of SSH, this lets you connect to a remote machine via SSH and give that machine the ability to use SSH to connect to other machines — without ever having the private authentication key or the passphrase that protects it, researchers explain.

The benefit is that someone can keep a private key locally, on one server, instead of storing it on multiple servers to authenticate connections. Using agent forwarding, this server can provide a remote server with the means to use the private key without having to expose it. The local machine answers "key challenges" and relays them through the remote server to target servers.

Researchers call this "an extremely dangerous feature." With agent forwarding enabled, a remote server accepting your SSH connection could authenticate to any server that accepts your credentials. They were able to trigger management software to use SSH to connect to their server and run commands, then swap the code it was intended to execute with arbitrary code by replacing one of the binaries it commonly executes. OnApp's configuration of SSH with agent forwarding gave researchers a full chain to compromise all servers in a hosting company with root privileges.

Researchers tested this by setting up a source server, which an attacker could obtain with a simple free trial, and a target server. They overwrote the "tput" binary on the source server with their own script that used SSH forwarding to connect with the target server and drop a flag file. They triggered the management software and saw the flag file appear on the target server.

"If we could replicate this across other companies, then the impact is much greater and more dangerous," according to Skylight Cyber. "All we have to do is find cloud providers using OnApp, rent a couple of servers, and test our thesis again."

The vulnerability was assigned to the ID CVE-2019-12491.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "Why Clouds Keep Leaking Data."

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
10/1/2019 | 3:18:20 AM
Re: OnApp reached out to me a few months ago
Good share!
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/6/2020
Ripple20 Threatens Increasingly Connected Medical Devices
Kelly Sheridan, Staff Editor, Dark Reading,  6/30/2020
DDoS Attacks Jump 542% from Q4 2019 to Q1 2020
Dark Reading Staff 6/30/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-07-07
An issue was discovered in Xen through 4.13.x, allowing Arm guest OS users to cause a hypervisor crash because of a missing alignment check in VCPUOP_register_vcpu_info. The hypercall VCPUOP_register_vcpu_info is used by a guest to register a shared region with the hypervisor. The region will be map...
PUBLISHED: 2020-07-07
An issue was discovered in Xen through 4.13.x, allowing x86 Intel HVM guest OS users to cause a host OS denial of service or possibly gain privileges because of insufficient cache write-back under VT-d. When page tables are shared between IOMMU and CPU, changes to them require flushing of both TLBs....
PUBLISHED: 2020-07-07
An issue was discovered in Xen through 4.13.x, allowing guest OS users to cause a host OS crash because of incorrect error handling in event-channel port allocation. The allocation of an event-channel port may fail for multiple reasons: (1) port is already in use, (2) the memory allocation failed, o...
PUBLISHED: 2020-07-07
An issue was discovered in Xen through 4.13.x, allowing Intel guest OS users to gain privileges or cause a denial of service because of non-atomic modification of a live EPT PTE. When mapping guest EPT (nested paging) tables, Xen would in some circumstances use a series of non-atomic bitfield writes...
PUBLISHED: 2020-07-07
An issue was discovered in Xen through 4.13.x, allowing x86 HVM guest OS users to cause a hypervisor crash. An inverted conditional in x86 HVM guests' dirty video RAM tracking code allows such guests to make Xen de-reference a pointer guaranteed to point at unmapped space. A malicious or buggy HVM g...