Critical vulnerability affecting cloud servers: thousands of servers infected

Because of the advantages it offers, cloud computing is considered a much safer environment for information stored on these servers. However, vulnerability testing specialists have discovered a security flaw in a cloud management system used by thousands of providers of these services that could expose information from thousands of system administrators.

The vulnerability is present on OnApp, one of the most important cloud computing management platforms, used by thousands of hosting services. If exploited, this vulnerability would allow a threat actor to take control of all servers managed by a cloud provider relatively easily (renting a space on a server from the same provider, for example). In addition, this flaw would allow hackers to steal, corrupt and even delete information belonging to other customers.

According to vulnerability testing specialists, the vulnerability allows hackers to gain access to compromised servers using login credentials with administrator privileges. “This is not a simple information leak,” said Adi Ashkenazy, of security firm Skylight Cyber in interview for the online platform VICE. “Root access to servers means that hackers can install malware, distribute ransomware or any other malicious activity”, adds the researcher.

In some cases the hackers might find that the information stored on these servers has been encrypted by administrators. However, this information could be re-encrypted by hackers using their own keys, an equally disastrous scenario.

OnApp is a cloud management platform used by government agencies, small businesses and even some large companies. Based on company data itself, at least one in three public clouds use OnApp. Vulnerability testing experts mention that the vulnerability was tested by two different cloud providers, demonstrating that exploitation is possible.

The flaw affects all versions of OnApp used to manage Xen or KMV-based virtual servers. The flaw was discovered incidentally after investigators opened an account with a cloud provider and detected an SSH connection to their server from the cloud provider, using the provider’s private keys.

Trying to find out if the same keys were used to access all servers managed by this provider, experts found that it was possible to activate the system to initiate an SSH connection to any other server operated by the company using the provider’s keys.

Simply put, experts were able to access any server with administrator privileges without knowing the cloud provider’s keys. “It’s really simple and anyone could do it,” the experts say.

Apparently the flaw exists because OnApp is configured to allow “agent forwarding” using SSH connections. This forwarding allows a private key to be used to make automated and authenticated connections to another system. This is used to create scripts that will manage multiple systems simultaneously rather than individually. The way OnApp was configured allows you to use that SSH connection to send a command that activates a cloud provider’s authentication system to initiate connections to other servers using the provider keys.

Upon receiving the report, OnApp began working on the software updates needed to fix the vulnerability, although it will take a while for all users to update their deployments. Although OnApp did not disclose any further details, it did stress that it is important to install the patches, as there are no workarounds to mitigate the risk.

Vulnerability testing specialists at the International Institute of Cyber Security (IICS) mention that the company’s clients are being contacted by email to inform them about the situation and try to make the extent of the vulnerability reduce as soon as possible by updating exposed systems.