Microsoft update left Azure Linux virtual machines open to hacking

Microsoft patches configuration hole that allowed hackers to upload software packages to its Azure update infrastructure.

Red Hat Enterprise Linux
Red Hat Enterprise Linux

Microsoft has patched a massive vulnerability that left virtual machines on Azure running Red Hat Enterprise Linux (RHEL) open to attack.

Software engineer Ian Duffy found the flaw when trying to create a virtual machine image of a Red Hat Enterprise Linux server compliant to the US Department of Defense's 'Security Technical Implementation' guidelines.

According to Duffy, it was discovered that Azure used an unusual installation script in its pre-configured RPM Package Manager that comprises build host information enabling hackers to find all Red Hat Update Appliances which expose REST APIs over HTTPS.

He ran an application called rhui-monitor.cloudapp.net on port 8080. This revealed URLs of the appliances and allowed access to archives containing configuration files and SSL certificates. This could be used to attain full administrative access to the VMs.

"It was possible to copy the SSL certificates from one instance to another and successfully authenticate. Additionally, if you duplicated a Red Hat Enterprise Linux virtual hard disk and created a new instance from it, all billing association seemed to be lost but repository access was still available," said Duffy in a blog post.

"Despite the application requiring username and password-based authentication, it was possible to execute a run of their 'backend log collector' on a specified content delivery server. When the collector service completed, the application supplied URLs to archives which contain multiple logs and configuration files from the servers."

He also managed to root the storage account administrator.

“As an attacker, this would have granted access to every piece of data on the compromised virtual machines. Sadly, the attack vector is actually much more widespread than this. Given some poor implementation within the mandatory Microsoft Azure Linux Agent (WaLinuxAgent) one is able to obtain the administrator API keys to the storage account used by the virtual machine for debug log shipping purposes, at the time of research this storage account defaulted to one shared by multiple virtual machines,” he said in another blog post.

Duffy reported these problems to Microsoft's online services bug bounty programme, which has since resulted in Microsoft patching both issues.

Mark James, security specialist at ESET, told SCMagazineUK.com that any bug has the potential to be used and abused.

“It would be nice to think that this bug was first picked up by Mr Duffy, reported and fixed before anyone else had the opportunity to exploit it, but often that's not the case. If someone is successfully using this then I doubt they will be shouting it from the rooftops,” he said.

Bogdan Botezatu, senior e-threat analyst at Bitdefender, told SC that attackers could have leveraged the flaw to start disseminating tampered packages, potentially compromising VMs in various ways.

“Since the updated packages could have contained any type of malicious code, anything from infecting VMs with malware or remotely managing them to accessing data from storage accounts could have been possible,” he said.

Venafi's chief cyber-security strategist, Kevin Bocek, said that as the update services use SSL/TLS encrypted tunnels, communicating and exploiting the service would almost certainly be a blind spot for Microsoft and Azure customers.

“Network security systems need to be fed SSL/TLS keys to have full visibility – something that is extremely difficult since most data centres have thousands of SSL/TLS keys and certificates, most completely unknown or out of reach of security administrators. Only automated SSL/TLS key and certificate discovery and orchestrated distribution to security systems can make can make full visibility possible,” he said.

Sign up to our newsletters