Microsoft update servers leave Azure RHEL instances hackable

Microsoft has patched a huge flaw that left Azure Red Hat Enterprise Linux (RHEL) compromised and sucseptible to attack.

Software engineer Ian Duffy was tasked with the job of creating a machine image of RHEL that was compliant to the Department of Defence’s ‘Security Technical Implementation’ guide, but found more than he had bargained for. 

Durig the process, Duffy noticed an unusual installation script Azure uses in its preconfigured RPM Package Manager that contains build host information that allows attackers to find all four Red Hat Update Appliances which expose REST APIs over HTTPS.

He then discovered a package labelled ‘PrepareRHUI’ (Red Hat Update Infrastructure) that runs on all Azure RHEL machines, and contains the build host. 

Effectively in human speak, this boils down to broken username and password authentication that allowed him – and any savvy hacker – to access a backend log collector application which returned logs and configuration files with an SSL certificate that granted full administrative power to the Red Hat Update Appliances.

Worse, he also found that Azure RHEL images are configured without GPG validation checks, meaning all would accept mallicious package updates on their next run of yum updates. 

"In theory, if exploited one could have gained root access to all virtual machines consuming the repositories by releasing an updated version of a common package and waiting for virtual machines to execute yum update," Duffy said.

"[Compromising updates] would just be a case of bumping the version number and releasing a package under the same name."

Upon discovery of this, Microsoft immediately shuttered access to the directory to close the hole.

Duffy was hard at work searching for faults as he found another vulnerability within the obligatory Microsoft Azure Linux Agent (WaLinuxAgent) which exposed API keys for debugging purposes.

This Agent made it possible for Duffy to gain administrator API keys and download virtual hard disks for any RHEL using the same storage account.

The software engineer says he was paid less than $3,500 for discovering the vulnerability under Microsoft’s bug bounty, but did not name a precise figure. 

PCR’s Sector Spotlight on Security – in association with BullGuard – is running throughout November 2016 – click here for more articles

Check Also

PCR February issue Vendor Relationships Special: How to get involved?

In PCR’s February issue we will have a special focus on Vendor Relationships. We will …