"Critical Vulnerability in Oracle Cloud Infrastructure Allowed Unauthorized Access"
A new vulnerability in Oracle Cloud Infrastructure (OCI) could allow unauthorized access to cloud storage volumes of all users, hence violating cloud isolation. Security researchers at Wiz discovered the flaw in June and dubbed it AttachMe. The flaw is now being discussed in a new advisory the company recently published. The company said that within 24 hours of being informed by Wiz, Oracle patched the flaw for all OCI customers without any customer action required. However, the researchers at Wiz stated that before it was patched, all OCI customers could have been targeted by an attacker with knowledge of the vulnerability. The researchers noted that any unattached storage volume, or attached storage volumes allowing multi–attachment, could have been read from or written to as long as an attacker had its Oracle Cloud Identifier (OCID), allowing sensitive data to be exfiltrated or more destructive attacks to be initiated by executable file manipulation. According to the Wiz researchers, potential attacks resulting from a threat actor aware of this flaw included privilege escalation and cross–tenant access. The researchers noted that this vulnerability highlights the crucial importance of proactive cloud vulnerability research, responsible disclosure, and public tracking of cloud vulnerabilities to cloud security.