Microsoft update servers leave Azure RHEL instances hackable

Software engineer Ian Duffy was tasked with the job of creating a machine image of RHEL, but found more than he had bargained for
Author:
Publish date:
1-microsoft-azure-logo.jpg

Microsoft has patched a huge flaw that left Azure Red Hat Enterprise Linux (RHEL) compromised and sucseptible to attack.

Software engineer Ian Duffy was tasked with the job of creating a machine image of RHEL that was compliant to the Department of Defence's 'Security Technical Implementation' guide, but found more than he had bargained for. 

Durig the process, Duffy noticed an unusual installation script Azure uses in its preconfigured RPM Package Manager that contains build host information that allows attackers to find all four Red Hat Update Appliances which expose REST APIs over HTTPS.

He then discovered a package labelled 'PrepareRHUI' (Red Hat Update Infrastructure) that runs on all Azure RHEL machines, and contains the rhui-monitor.cloud build host. 

Effectively in human speak, this boils down to broken username and password authentication that allowed him – and any savvy hacker – to access a backend log collector application which returned logs and configuration files with an SSL certificate that granted full administrative power to the Red Hat Update Appliances.

Worse, he also found that Azure RHEL images are configured without GPG validation checks, meaning all would accept mallicious package updates on their next run of yum updates. 

"In theory, if exploited one could have gained root access to all virtual machines consuming the repositories by releasing an updated version of a common package and waiting for virtual machines to execute yum update," Duffy said.

"[Compromising updates] would just be a case of bumping the version number and releasing a package under the same name."

Upon discovery of this, Microsoft immediately shuttered access to the rhui-monitor.cloud directory to close the hole.

Duffy was hard at work searching for faults as he found another vulnerability within the obligatory Microsoft Azure Linux Agent (WaLinuxAgent) which exposed API keys for debugging purposes.

This Agent made it possible for Duffy to gain administrator API keys and download virtual hard disks for any RHEL using the same storage account.

The software engineer says he was paid less than $3,500 for discovering the vulnerability under Microsoft's bug bounty, but did not name a precise figure. 

PCR's Sector Spotlight on Security - in association with BullGuard - is running throughout November 2016 - click here for more articles

Image placeholder title
Image placeholder title

Related

1-bullguard_logo_1_5.png

PCR interviews BullGuard CEO Paul Lipman - Video

We had a chance to speak to BullGuard CEO Paul Lipman all about what the company is doing to ensure the safety of the Internet of Things and what users can do to to make sure that they are being as safe as possible when using the interne

1-simon-shiu.jpg

How to protect from firmware attacks

Firmware is an often overlooked area when it comes to security, but Simon Shiu, head of Security Lab at HP Labs, believes that more can be done to ensure that devices can be securely updated