low

Public admin access to Azure's Red Hat Update Infrastructure

Published Sat, Nov 26th, 2016

Platforms

Summary

Full administrative access to the Azure Red Hat Enterprise Linux Appliance REST API was publicly exposed. It allowed malicious actors uploading packages that would be acquired by client virtual machines on their next yum update. The vulnerable infrastructure supplies all the packages for all Red Hat Enterprise Linux instances booted from the Azure marketplace.

Affected Services

N/A

Remediation

None required

Tracked CVEs

No tracked CVEs

References

https://ianduffy.ie/2016/11/26/azure-bug-bounty-pwning-red-hat-enterprise-linux/

Contributed by https://github.com/0xdabbad00

Entry Status

Finalized

Disclosure Date

Sat, Nov 26th, 2016

Exploitablity Period

Known ITW Exploitation

Detection Methods

Piercing Index Rating

Discovered by

Ian Duffy

More vulnerabilities...

medium

3rd party vendor confused deputy via AssumeRole

3rd party vendors can (and sometimes do) incorrectly implement sts:ExternalId in their AWS role trust policies, leading to confused deputy issues. These misconfigurations could allow customers to a...

Daniel Grzelak, Atlassian

Wed, Nov 16th, 2016

low

AWS published official AMIs with recoverable deleted files

Researchers, while investigating the security posture of Public AMIs, were able to undelete files from an official image that was published by Amazon AWS.

Marco Balduzzi, Jonas Zadda...

Sat, Jun 4th, 2011

medium

Signature version 1 (SigV1) is insecure

When making authenticated API requests to AWS, the requests must be signed with your AWS access key. The initial signing algorithm, SigV1, was vulnerable to collisions. A person-in-the-middle attac...

Colin Percival

Thu, Dec 18th, 2008

View all