Thousands of Cloud Computing Servers Could Be Owned With 'Very Simple' Attack, Researchers Say
Researches at Skylight Cyber found a vulnerability in OnApp's cloud computing management platform that could potentially have given attackers root access to thousands of servers.
by Kim Zetter
Sep 26 2019, 5:25pm
Image: Cathryn Virginia
Cloud computing is often touted for its security benefits: it’s assumed that a company that hosts hundreds of servers for customers has superior skills and resources to secure data on those servers than the individual owners of that data. When a security breach happens in cloud computing, it’s usually the fault of the data owner who misconfigured their leased cloud server and not the cloud provider.
But researchers in Australia recently found a vulnerability in a cloud-management system used by thousands of cloud-service providers that potentially opened thousands of servers to attack through no fault of customers or their cloud-service provider.
The critical vulnerability—in OnApp, one of the top cloud-computing management platforms used by thousands of cloud-hosting services around the world—would allow an attacker to seize control of all servers managed by a cloud provider if he or she has access to just one of those servers—for example, by simply renting space on a server from the same provider, according to the Australian security firm Skylight Cyber, which discovered the issue. The vulnerability would let an attacker steal, corrupt, or delete data belonging to other customers, or encrypt the data to prevent owners of the data from accessing it, all while hiding the identity of the attacker.
That’s because the vulnerability allows the attacker to gain access to those servers using the top-level administrative credentials and privileges of the cloud provider.
“This is not just a data leak,” CEO of Skylight Cyber Adi Ashkenazy said. “You have root access to those servers, so you could install malware, run ransomware, whatever you would like.... It’s a horrific mistake. I shouldn't be able to use their authentication.”
If data on the servers has been encrypted by the owners of that data, an attacker would at the very least be able to encrypt the data again with the hacker’s own key, preventing the owner from accessing the data on that server.
Since many cloud providers offer free trial accounts that only require an email address to sign up, an attacker wouldn’t have to provide any identifying details to gain access to the first server to launch an attack.
OnApp is a London-based cloud management platform for hosting providers to manage fleets of cloud servers leased by government agencies and small and large commercial companies. It’s been called “the most popular cloud platform you’ve probably never heard of,” and, according to the company, at least one in three public clouds use its platform, including VPS.net, which has 10,000 customers in more than 180 countries, according to its website. The researchers said they tested the vulnerability across two different cloud providers to verify that it worked, including VSP.net.
OnApp acknowledged the problem and has issued patches for the software, though the researchers say not all customers have applied them. OnApp declined to discuss with Motherboard how many customers hadn’t patched their system yet, but in its patch notes, the company warned that “There are no feasible workarounds for this vulnerability, we strongly recommend to update.”
The issue, outlined in an industry security notice, affects all versions of OnApp used for managing Xen- or KVM-based virtual servers. The company told Motherboard that it did not affect other versions of OnApp. OnApp wouldn’t say exactly how many cloud-service providers and their customers were using the versions of their platform that had the vulnerability.
“[A]nyone using XEN or KVM hypervisors was affected,” Ashkenazy said. “Only OnApp know what the percentage of customers using it represent. “
The researchers discovered the vulnerability by chance when they opened an account at a cloud provider and noticed an SSH connection (a type of secure, encrypted connection between two systems) to their server from the cloud provider, using the provider’s private keys. They wondered if the same keys were used to access every server managed by the cloud-hosting provider and in the course of investigating this discovered that they could trigger the system to initiate an SSH connection to any other server operated by the provider using the provider’s keys—without ever knowing the provider’s keys—giving them the same root access and privileges as the provider.
“It’s very simple. Anyone can do it,” Ashkenazy said.
The flaw exists because the OnApp platform is configured to allow so-called “agent forwarding” with SSH connections. The “agent forwarding” feature allows a private key used to connect to one system to be used to make automated and authenticated connections to other systems. This would generally be used by an administrator to write scripts to configure and manage a lot of systems simultaneously instead of having to configure each system separately.
But the way it was configured in OnApp, it also allowed the researchers to use that SSH connection to issue a command that triggers a cloud-provider's authentication system to initiate connections to other servers using the private keys stored in the provider’s authentication system. The researchers said they tested the vulnerability across two different cloud providers to verify that it worked, including VSP.net.
“The way agent forwarding works is when they connect to my server [using SSH], they have an open socket that allows me to forward authentication requests to their server,” Ashkenazy told Motherboard. ”[T]heir server, with their credentials that I never get to see, opens a channel [to other servers], and I can send what’s known as a key challenge and they answer it for me, which allows me root access to any other server that accepts those credentials.”
Ashkenazy said there was no reason for OnApp to have enabled agent forwarding but speculated that the company may have used it for a legitimate purpose at one point, but forgot to disable it when deploying the platform to customers.
In any case, the company was immediately responsive when Ashkenazy’s team contacted it.
OnApp told Motherboard that in addition to issuing patches, the company contacted all of its customers by email and other means in June and again in July to provide instructions for patching their OnApp control panels and also offered to do the update for customers free of charge. But not all customers applied the patch or took the company up on its free offer.
OnApp praised Skylight Cyber for alerting it to the issue and for withholding the technical details for exploiting the vulnerability until it could alert customers.
“What we would like to emphasize, however, is the value of ‘ethical hacking’ and the importance of vendors remaining vigilant to and responding swiftly to issues like this when they arise,” company spokesman Steve Fenton wrote in an email. “We’d like to highlight the diligence of the team at Skylight throughout the disclosure process, too: they also played an important role in mitigating this issue by testing the methodology behind the fix before patches were released to our customers.”