A vulnerability in Oracle Cloud Infrastructure (OCI) could have allowed basically any user to read and write data belonging to any other OCI customer, researchers have claimed.
Experts from cloud security firm Wiz said they stumbled upon the vulnerability when building an OCI connector for their own tech stack, discovering that they could attach other people’s virtual disks to their virtual machine instances. The only thing they’d need is that other person’s storage (opens in new tab) volume Oracle Cloud Identifier, and that the other person’s volume supported multi-attachment (or wasn’t already attached).
With all these things aligned, a potential threat actor would be able to access any sensitive information found on the volume - and to make matters worse, they’d also be able to write over it.
Describing the findings in a blog post (opens in new tab) , Wiz’s Elad Gabay said the flaw "could be used to manipulate any data on the volume, including the operating system runtime (by modifying binaries, for example), thus gaining code execution over the remote compute instance and a foothold in the victim's cloud (opens in new tab) environment, once the volume is used to boot a machine."