In June 2022, researchers from Wiz Research, Nir Ohfeld and Shir Tamari, explained their findings regarding cloud middleware vulnerabilities on cloud virtual machines, at RSA Conference 2022.
Their work builds off a previous study conducted in 2021, which uncovered secretly installed vulnerabilities on cloud services, such as the Azure Open Management Infrastructure (OMI) agent and OMIGOD vulnerabilities. The cloud middleware were necessary to enable advanced virtual machine features on the cloud software, however, they also added new attack surfaces which could potentially be exploited by hackers.
These cloud vulnerabilities affected several Azure customers and could also be exploited in the wild, posing considerable security risks. For instance, OMIGOD included a bug with a 9.8/10 CVSS score that would let an attacker escalate to root and remotely execute code. Although Microsoft patched the vulnerabilities, most had to be applied manually by customers.
Furthermore, at the RSA Conference, Ohfeld and Tamari revealed that “pretty much every cloud provider” was installing similar middleware agents “without customers’ awareness or explicit consent”.
Their findings raise questions on whether cloud service providers should be more transparent and open with their customers, who may not necessarily be tech savvy or aware of middleware’s effects and implications for their data.
A Problem Across the Cloud Industry
Notably, Ohfeld and Tamari added that even though Azure had silently installed OMI without customers’ consent, it was nonetheless the customers’ responsibility to update the secret OMI installations in their data environments, to protect them from cyber hacking or data compromises.
For cloud customers, adequate data protection is becoming increasingly important as the incidence of cyber attacks increases. However, cloud middleware software can expose customers to local privilege escalation attacks or remote command execution vulnerabilities, especially when cloud providers fail to update their software.
Hence, Ohfeld and Tamari note that cloud users need to be more vigilant in taking note of where cloud provider software is being installed in their environment, and study the security risks from installing third-party software.
However, a survey from Trend Micro highlighted that while a majority (73%) of IT and business decision makers surveyed noted that they were concerned about their growing attack vulnerability surface, only half (51%) of them could fully define their tech vulnerabilities.
Amit Yoran, Chairman and CEO of cybersecurity company Tenable, noted in a recent article that cloud providers silently patching and hiding software vulnerabilities by not reporting these issues to customers has been a “repeated pattern of behaviour.”
Beyond cloud users’ own vigilance, cloud providers must also be more transparent about the security of their services. Collectively, cloud users and corporations should also be more proactive in holding cloud providers accountable.