Each virtual disk in Oracle’s cloud has a unique identifier called Oracle Cloud Identifier (OCID). This identifier is not considered secret, and organizations do not treat it as such. Given the OCID of a victim’s disk that is not currently attached to an active server or configured as shareable, an attacker could ‘attach’ to it and obtain read/write over it.
The vulnerability is embedded in a disk that could be attached to a compute instance in another account via the Oracle Cloud Identifier without any explicit authorization. An attacker in possession of the OCID could have taken advantage of AttachMe to access any storage volume, resulting in data exposure, exfiltration, or alter boot volumes to gain code execution.
Insufficient validation of user permissions is a common bug class among cloud service providers. To identify such issues, performing rigorous code reviews and comprehensive tests for each sensitive API in the development stage is the best way.
See What’s Next in Tech With the Fast Forward Newsletter
Tweets From @varindiamag
Nothing to see here - yet
When they Tweet, their Tweets will show up here.