Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

9/27/2019
03:15 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Cloud Vulnerability Could Let One Server Compromise Thousands

A flaw in the OnApp cloud management platform could let an attacker compromise a private cloud with access to a single server.

A newly disclosed critical vulnerability in the OnApp cloud orchestration platform could let an attacker compromise an entire private cloud with access to a single server, researchers report.

The finding comes from researchers at security firm Skylight Cyber who say the flaw has the potential to affect hundreds of thousands of production servers and organizations around the world. OnApp is a London-based cloud management platform, one of the top firms that powers thousands of clouds for managed service providers, telcos, and other cloud hosting services.

Cloud security issues are common these days; however, we usually see them in the context of user misconfigurations and resulting accidental data leaks. In most cases, these mishaps are the user's fault. This particular flaw, located in a management system that thousands of providers use, could let an attacker access, steal, change, or eliminate data on a server through no fault of the user or provider.

OnApp's strategy for managing different servers in the cloud environment could allow attackers to achieve remote code execution (RCE) with root privileges. They simply need to rent a server — a simple process, and one that many companies require only an email address to do.

With that server, an attacker could compromise an entire private cloud due to the way OnApp manages different servers in the cloud environment, researchers explain in a technical blog post. Any user could trigger an SSH connection from OnApp to the managed server due to "agent forwarding," which lets an attacker relay authentication to any server in the same cloud.

The vulnerability affects all OnApp control panels managing Xen or KVM compute resources, OnApp says in a security advisory. It does not affect OnApp control panels that only manage VMware vCloud Director, VMware vCenter environments, or CDN-only control panels. The company has issued a patch for the flaw and says there are no feasible workarounds for this.

Researchers tested, confirmed, and replicated their methodology across multiple cloud vendors, using OnApp for Xen and KVM hypervisors. In fact, it worked for them on the first try.

How They Found It
Skylight began investigating this in May when alerted to hate messages targeting the campaign of an Australian federal parliament member running for office. Emails were disguised to appear as though they came from many Australian businesses; however, they came from a single source.

Analysis of the emails led to the discovery of several servers used to send them. It seems the attacker preferred to use a single hosting company, probably because it didn't require payment or ID to start a free 24-hour trial. Researchers decided to mimic the steps of the attacker and see if they left incriminating evidence. With nothing found, they hypothesized there could be a bug.

The researchers explored the control panel of the hosting company and saw there was an SSH connection between their server and the cloud provider. A public key had been pre-installed to access the server, prompting the team to wonder whether the management software was using the same key pair to manage every server. Researchers found this was the case, and they could launch an SSH connection to any server with the hosting company. They could do this even if they didn't have the private key, which granted the same level of root access the provider had.

Agent forwarding made this possible. A feature of SSH, this lets you connect to a remote machine via SSH and give that machine the ability to use SSH to connect to other machines — without ever having the private authentication key or the passphrase that protects it, researchers explain.

The benefit is that someone can keep a private key locally, on one server, instead of storing it on multiple servers to authenticate connections. Using agent forwarding, this server can provide a remote server with the means to use the private key without having to expose it. The local machine answers "key challenges" and relays them through the remote server to target servers.

Researchers call this "an extremely dangerous feature." With agent forwarding enabled, a remote server accepting your SSH connection could authenticate to any server that accepts your credentials. They were able to trigger management software to use SSH to connect to their server and run commands, then swap the code it was intended to execute with arbitrary code by replacing one of the binaries it commonly executes. OnApp's configuration of SSH with agent forwarding gave researchers a full chain to compromise all servers in a hosting company with root privileges.

Researchers tested this by setting up a source server, which an attacker could obtain with a simple free trial, and a target server. They overwrote the "tput" binary on the source server with their own script that used SSH forwarding to connect with the target server and drop a flag file. They triggered the management software and saw the flag file appear on the target server.

"If we could replicate this across other companies, then the impact is much greater and more dangerous," according to Skylight Cyber. "All we have to do is find cloud providers using OnApp, rent a couple of servers, and test our thesis again."

The vulnerability was assigned to the ID CVE-2019-12491.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "Why Clouds Keep Leaking Data."

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
LeonorCastro
50%
50%
LeonorCastro,
User Rank: Apprentice
10/1/2019 | 3:18:20 AM
Re: OnApp reached out to me a few months ago
Good share!
tdsan
100%
0%
tdsan,
User Rank: Ninja
9/30/2019 | 1:46:10 PM
OnApp reached out to me a few months ago

The researchers explored the control panel of the hosting company and saw there was an SSH connection between their server and the cloud provider. A public key had been pre-installed to access the server, prompting the team to wonder whether the management software was using the same key pair to manage every server. Researchers found this was the case, and they could launch an SSH connection to any server with the hosting company. They could do this even if they didn't have the private key, which granted the same level of root access the provider had.

 It is interesting that you bring this up, because we had tested their solution out but they did not allow us to test the internet connectivity of their cloud solution. Whew, I am glad that we did not decide to go with it due to testing limitations they put on their product. Well, this is good to know and one thing, the price of the product was way outside of the major cloud providers or CSPs (Cloud Service Providers).


Anyway, thank you for the insight.

Tod
DevSecOps: The Answer to the Cloud Security Skills Gap
Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
Attackers' Costs Increasing as Businesses Focus on Security
Robert Lemos, Contributing Writer,  11/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19037
PUBLISHED: 2019-11-21
ext4_empty_dir in fs/ext4/namei.c in the Linux kernel through 5.3.12 allows a NULL pointer dereference because ext4_read_dirblock(inode,0,DIRENT_HTREE) can be zero.
CVE-2019-19036
PUBLISHED: 2019-11-21
btrfs_root_node in fs/btrfs/ctree.c in the Linux kernel through 5.3.12 allows a NULL pointer dereference because rcu_dereference(root->node) can be zero.
CVE-2019-19039
PUBLISHED: 2019-11-21
__btrfs_free_extent in fs/btrfs/extent-tree.c in the Linux kernel through 5.3.12 calls btrfs_print_leaf in a certain ENOENT case, which allows local users to obtain potentially sensitive information about register values via the dmesg program.
CVE-2019-6852
PUBLISHED: 2019-11-20
A CWE-200: Information Exposure vulnerability exists in Modicon Controllers (M340 CPUs, M340 communication modules, Premium CPUs, Premium communication modules, Quantum CPUs, Quantum communication modules - see security notification for specific versions), which could cause the disclosure of FTP har...
CVE-2019-6853
PUBLISHED: 2019-11-20
A CWE-79: Failure to Preserve Web Page Structure vulnerability exists in Andover Continuum (models 9680, 5740 and 5720, bCX4040, bCX9640, 9900, 9940, 9924 and 9702) , which could enable a successful Cross-site Scripting (XSS attack) when using the products web server.