19 comments

[ 307 ms ] story [ 1006 ms ] thread
I'm curious to know if a bounty was paid for this and how much.
The bounty was paid out, leaving the amount as undisclosed but it was under 3500 USD.
(comment deleted)
There was a thread yesterday where lots of people were complaining about HSMs (https://news.ycombinator.com/item?id=13031155). I think this is an example where it would have helped to secure the private key in an HSM instead of the server itself.

Now the author states the keys have been rotated but now the next hacker know where to look.

I'm not fully confident that they have actually been rotated....
Hi Ian. That was a very well-written account of a very serious vulnerability. I just thought I’d let you know that there's a typo in the closing sentence (being discussed here), “they claim to of rotated all secrets”. That should be “have” rather than “of”. It kind of threw me a little as I read it. Le gach dea ghuí.
Perfect! Thank you Anthony, colloquialism slipping into my English.
It sounds like they fixed the RHEL Update infrastructure, but they didn't fix this:

"Additionally, if you duplicated a Red Hat Enterprise Linux virtual hard disk and created a new instance from it all billing association seemed to be lost but repository access was still available"

Debatable @shshhdhs, I can confirm they locked down access but I'm not confident the certificates were actually rotated. It would have meant they would have needed to push new SSL client certs out to every customer Red Hat Enterprise Linux Virtual Machine.

I'm confident that duplicating the virtual disk, certificates or installing the documented RPMs will result in repository access without being billed accordingly. It is considered fraud and I would imagine if one took large advantage of one would be disciplined accordingly.

Am I misreading this or does this really allow arbitrary packages to masquerade as legitimate packages?!
That would be correct since GPG checking is disabled. Would just be a case of bumping the version number and releasing a package under the same name.
> Given no gpgcheck is enabled, with full administrative access to the Red Hat Enterprise Linux Appliance REST API one could have uploaded packages that would be acquired by client virtual machines on their next yum update.

And given how hard it is to detect backdoor software, this is a HUGE security blunder. This could have literally installed a rootkit on every rhel instance on Azure.

That is correct..... I've another post I'll do in a few days that details how you can become storage account admin from being root on an instance.
So, it seems that the attack vector was that Microsoft was running RHUI Log Collector open to the public internet for some reason.

Considering that's from Redhat, and not Microsoft, I do wonder if this is a non sensible default setup issue and there may be many enterprises running this out in the open.

That is very interesting @joneholland. Can you tell me more about the RHUI log collector? I thought it was something hand rolled.
Another reason to be away from MS cloud. Good work man.