Azure vulnerability allowed admin access to Red Hat Enterprise Linux instances

Microsoft has fixed the glitches which were reported as part of its bug bounty programme

A vulnerability in Microsoft's Azure cloud platform could have been exploited to gain administrator access to instances of Red Hat Enterprise Linux (RHEL) and storage accounts hosted on Azure.

The vulnerability was discovered by software engineer Ian Duffy who was working on creating a hardened RHEL image for use on both Amazon Web Services (AWS) and Microsoft Azure under a metered billing pricing model, consuming software updates from a local RHEL repository owned and managed by the cloud provider.

Both AWS and Azure utilise a deployment of Red Hat Update Infrastructure, comprising the Red Hat Update Appliance and Content Delivery Network, to supply this functionality. One copy of the Red Hat Update Appliance is created per region on both AWS and Azure.

The clients should be isolated from the Red Hat Update Appliance but while AWS requires that the instance is booted from a machine image that contains the billing code, Azure does not have this safeguard.

Duffy noticed that some Red Hat Package Manager (RPM) files contained client configurations for each region. Running an application called rhui-monitor.cloudapp.net on port 8080 revealed the URLs of all Red Hat Update Appliances and gave access to archives containing configuration files and SSL certificates that could be used to gain full administrative access to Red Hat Update Appliances.

"It was possible to copy the SSL certificates from one instance to another and successfully authenticate. Additionally, if you duplicated a Red Hat Enterprise Linux virtual hard disk and created a new instance from it all billing association seemed to be lost but repository access was still available," wrote Duffy in his blog.

"Despite the application requiring username and password based authentication, It was possible to execute a run of their 'backend log collector' on a specified content delivery server. When the collector service completed the application supplied URLs to archives which contain multiple logs and configuration files from the servers."

It was also potentially possible to access storage accounts, Duffy said.

"Given some poor implementation within the mandatory Microsoft Azure Linux Agent (WaLinuxAgent), one is able to obtain the administrator API keys to the storage account used by the virtual machine for debug log shipping purposes. At the time of research, this storage account defaulted to one shared by multiple virtual machines. If the storage account was used by multiple virtual machines there is potential to download their virtual hard disks."

Duffy reported the vulnerabilities to Microsoft as part of its bug bounty system. The company has since taken action to prevent public access to rhui-monitor.cloudapp.net and Red Hat Update Appliances.

It is not known whether the bug was ever exploited in the wild.