Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

4/24/2012
04:38 PM
Dark Reading
Dark Reading
Products and Releases
50%
50%

Dirty Disks Raise New Questions About Cloud Security

Context Information Security IDs potentially significant flaws in the implementation of cloud infrastructure services

April 24th 2012 - Research by Context Information Security has identified potentially significant flaws in the implementation of Cloud infrastructure services offered by some providers, which could be putting their clients’ data at risk. By exploiting the vulnerability, which revolves around data separation, Context consultants were able to gain access to some data left on other service users’ ‘dirty disks’ (1), including fragments of customer databases and elements of system information that could, in combination with other data, allow an attacker to take control of other hosted servers.

Context tested four providers and found that two of them, VPS.NET and Rackspace, were not always securely separating virtual servers or nodes through shared hard disk and network resources. In line with Context’s responsible disclosure procedures both providers were immediately informed of the findings. Rackspace worked closely with Context to identify and fix the potential vulnerability, which was found among some users of its now-legacy platform for Linux Cloud Servers. Rackspace reports that it knows of no instance in which any customer’s data was seen or exploited in any way by any unauthorized party. Context has tested Rackspace’s current cloud platform as well as its new Next Generation Cloud computing solution based on OpenStack, and has been able to confirm that the security vulnerability has been resolved. But other providers might be vulnerable if they use popular hypervisor software, and implement it in the way that Rackspace did before its recent remediation efforts.

VPS.NET told Context that it rolled out a patch to resolve the security issue, but provided no details. VPS.NET is based on OnApp technology that is also used by over 250 other cloud providers. OnApp told Context that it now allows customers to opt-in to having their data removed securely, leaving thousands of virtual machines at potential risk. OnApp added that it has not taken measures to clean up remnant data left by providers or customers, on the grounds that not many customers are affected.

During the course of Context’s research, it became clear that if virtual machines are not sufficiently isolated or a mistake is made somewhere in the provisioning or de-provisioning process, then leakage of data might occur between servers. Context has today published more details on the Dirty Disks vulnerability in a blog at: /http://www.contextis.com/research/blog/dirtydisks/

(1) In line with Context’s responsible disclosure procedures and confidentiality obligations, Context limited access to making a determination that the data was available. Context did not disclose, use, record, transmit or store any of the data it accessed.

“In the cloud, instead of facing an infrastructure based on separate physical boxes, an attacker can purchase a node from the same provider and attempt an attack on the target organisation from the same physical machine and using the same physical resources” said Michael Jordon, Research and Development Manager at Context .“This does not mean that the Cloud is unsafe and the business benefits remain compelling, but the simplicity of this issue raises important questions about the maturity of Cloud technology and the level of security and testing undertaken in some instances.”

The vulnerability itself is due to the way in which some providers automatically provision new virtual servers, initialise operating systems and allocate new storage space. For performance reasons or due to errors, security measures to provide separation between different nodes on a multi-user platform sometimes are not implemented, making it possible to read areas of other virtual disks and so gain access to data which exists on the physical storage provider.

While the data accessed by Context was not live, the most recent data identified was less than a week old. This is most likely due to the virtual storage system moving disk images around the cloud to improve performance or disk usage, leaving old data in the original location which is subsequently reallocated but not zeroed to prevent the space being used.

Since being alerted to the issue by Context last year, Rackspace has undertaken considerable efforts to ensure that any data deleted from their physical disk is zeroed to prevent new servers seeing other users and have taken measures to clean up all existing virtual disks, on what is now their legacy cloud servers platform.

“It is unclear how widespread this issue is among other Cloud providers” said Context’s Michael Jordon. “By raising awareness of the problem, other service providers of Cloud Infrastructure services can ensure they do not put their customers data at risk in the same manner and customers can undertake the appropriate due diligence before moving to the Cloud .”

About Context Context was launched in 1998 and has a client base that includes some of the world’s most high profile blue chip companies, alongside government organisations. An exceptional level of technical expertise underpins all Context services, while a detailed and comprehensive approach helps clients to attain a deeper understanding of security vulnerabilities, threats or incidents. The company’s strong track record is based above all, on the technical skills, professionalism, independence and integrity of its consultants.

Many of the world's most successful organisations turn to Context for technical assurance, incident response and investigation services. Context is also at the forefront of research and development in security technology. As well as publishing white papers and blogs addressing current and emerging security threats and trends, Context consultants are frequently invited to present at open and closed industry events around the world. Context delivers a comprehensive portfolio of advanced technical services t and with offices in the UK, Germany and Australia, is ideally placed to work with clients worldwide.

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Commentary
How SolarWinds Busted Up Our Assumptions About Code Signing
Dr. Jethro Beekman, Technical Director,  3/3/2021
News
'ObliqueRAT' Now Hides Behind Images on Compromised Websites
Jai Vijayan, Contributing Writer,  3/2/2021
News
Attackers Turn Struggling Software Projects Into Trojan Horses
Robert Lemos, Contributing Writer,  2/26/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: George has not accepted that the technology age has come to an end.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-26814
PUBLISHED: 2021-03-06
Wazuh API in Wazuh from 4.0.0 to 4.0.3 allows authenticated users to execute arbitrary code with administrative privileges via /manager/files URI. An authenticated user to the service may exploit incomplete input validation on the /manager/files API to inject arbitrary code within the API service sc...
CVE-2021-27581
PUBLISHED: 2021-03-05
The Blog module in Kentico CMS 5.5 R2 build 5.5.3996 allows SQL injection via the tagname parameter.
CVE-2021-28042
PUBLISHED: 2021-03-05
Deutsche Post Mailoptimizer 4.3 before 2020-11-09 allows Directory Traversal via a crafted ZIP archive to the Upload feature or the MO Connect component. This can lead to remote code execution.
CVE-2021-28041
PUBLISHED: 2021-03-05
ssh-agent in OpenSSH before 8.5 has a double free that may be relevant in a few less-common scenarios, such as unconstrained agent-socket access on a legacy operating system, or the forwarding of an agent to an attacker-controlled host.
CVE-2021-3377
PUBLISHED: 2021-03-05
The npm package ansi_up converts ANSI escape codes into HTML. In ansi_up v4, ANSI escape codes can be used to create HTML hyperlinks. Due to insufficient URL sanitization, this feature is affected by a cross-site scripting (XSS) vulnerability. This issue is fixed in v5.0.0.