Security
Headlines
HeadlinesLatestCVEs

Headline

Beware the 'Secret Agent' Cloud Middleware

New open source database details the software that cloud service providers typically silently install on enterprises’ virtual machines — often unbeknownst to customers.

DARKReading
#vulnerability#web#mac#windows#google#microsoft#amazon#linux#cisco#git#perl#aws#auth

RSA CONFERENCE 2022 – If cloud services weren’t complicated enough for the typical business today to properly configure and secure, there’s also a lesser-known layer of middleware that cloud providers run that can harbor hidden security flaws.

Researchers from Wiz.io last week at RSA Conference in San Francisco unveiled an open source, cloud middleware database on GitHub that details the specific middleware agents that Amazon Web Services (AWS), Google, and Microsoft install on their cloud customers’ virtual machines. The goal is to shine a light on this traditionally hidden proprietary software layer and its potential software flaws that can leave a cloud customer unknowingly at risk of attack.

Cloud providers often silently install these “secret agent” middleware programs on their customers’ virtual machines, and with the highest privileges, as a “bridge” between their cloud services and their customers’ VMs. The Cloud Middleware Dataset database project aims to provide cloud customers insight into this layer of software they rarely know exists on their virtual machines in a cloud service — and the potential security risks associated with it.

“These agents are adding an additional attack surface and cloud customers don’t know about those agents …; most are installed silently. If they come pre-installed, they have no idea” either, Shir Tamari, head of research at Wiz.io, told Dark Reading in an interview at the RSA Conference last week.

The most high-profile example of cloud middleware gone wrong was the discovery of major flaws in Microsoft Azure’s Open Management Infrastructure (OMI) agent software last fall. Tamari and his fellow researchers unearthed major remote execution and privilege escalation vulns in Azure, with a collection of flaws they dubbed OMIGOD. OMI runs on many Linux VMs in Azure to provide configuration management functions for cloud customers.

Of the four OMIGOD vulnerabilities (CVE-2021-38647, CVE-2021-38648, CVE-2021-38645, and CVE-2021-38649), the most painful one was CVE-2021-38647, which could allow an attacker to gain root on a VM with a single packet, merely by stripping the authentication header. The problem: A default configuration for OMI was exposed the HTTPS management port on the public Internet. Microsoft provided auto-updates for Azure to address the flaws, after initially releasing patches that most Azure customers had no idea applied to them since they weren’t aware of OMI.

“There was confusion over how to handle this middleware” patching, Tamari said.

The Cloud Middleware Dataset so far includes several agents used in Azure in addition to OMI, such as Microsoft Azure Guest Agent (WALinuxAgent), which is preconfigured in all Azure Linux images and has root privileges. WALinuxAgent’s listing in the database notes that the agent previously contained an information disclosure vulnerability, CVE-2019-0804. If exploited, it could allow an attacker to access memory in the kernel from a user process.

Other Azure middleware detailed in the database are Operations Management Suite, dependency agent, pipelines agent, and RD Agent service, each of which is employed in various Azure services.

AWS, meanwhile, has four such middleware agents listed in the dataset, AWS Systems Manager Agent (SSM Agent), AWS PV Drivers, AWS ECS container agent, and AWS EC2 Hibernation Initialization Agent. A local privilege escalation flaw CVE-2022-29527 was found this year in SSM Agent that an attacker could use to gain root access. That agent comes preconfigured in Windows, Linux, and macOS VM images.

Google Cloud runs Accounts Daemon, OSConfig agent, and a guest agent in its cloud services, all of which are Linux-based. OSConfig and guest also run on Windows. Accounts Daemon, which works in Google’s OS Login service, previously was patched for a local privilege escalation flaw, CVE-2020-8933, that would have given root access. OSConfig, which is built into GCP VM images, also had a local privilege escalation vuln in 2020 that Google later fixed.

What to Ask About Cloud Middleware

So, how can organizations pinpoint these “secret agents,” as Wiz researchers refer to them?

In an interview with Dark Reading at RSAC, Wiz co-founder and CTO Ami Luttwak said organizations should ask questions of cloud providers to get a clear view of what their software environment looks like: “Whose middleware is it [and] how do you know if it’s running on your environment” and does the software contain vulnerabilities, and how are updates and patches handled?

“This is a different attack surface. It’s a gray area,” he said. “It needs transparency and a clear process for updates for agents, VMs.”

Related news

CVE-2023-33953: Security Bulletins

gRPC contains a vulnerability that allows hpack table accounting errors could lead to unwanted disconnects between clients and servers in exceptional cases/ Three vectors were found that allow the following DOS attacks: - Unbounded memory buffering in the HPACK parser - Unbounded CPU consumption in the HPACK parser The unbounded CPU consumption is down to a copy that occurred per-input-block in the parser, and because that could be unbounded due to the memory copy bug we end up with an O(n^2) parsing loop, with n selected by the client. The unbounded memory buffering bugs: - The header size limit check was behind the string reading code, so we needed to first buffer up to a 4 gigabyte string before rejecting it as longer than 8 or 16kb. - HPACK varints have an encoding quirk whereby an infinite number of 0’s can be added at the start of an integer. gRPC’s hpack parser needed to read all of them before concluding a parse. - gRPC’s metadata overflow check was performed per frame, so ...

CVE-2022-1941: Security Bulletins  |  Customer Care  |  Google Cloud

A parsing vulnerability for the MessageSet type in the ProtocolBuffers versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 3.21.5 for protobuf-cpp, and versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 4.21.5 for protobuf-python can lead to out of memory failures. A specially crafted message with multiple key-value per elements creates parsing issues, and can lead to a Denial of Service against services receiving unsanitized input. We recommend upgrading to versions 3.18.3, 3.19.5, 3.20.2, 3.21.6 for protobuf-cpp and 3.18.3, 3.19.5, 3.20.2, 4.21.6 for protobuf-python. Versions for 3.16 and 3.17 are no longer updated.

Additional Guidance Regarding OMI Vulnerabilities within Azure VM Management Extensions

Last updated on October 5, 2021: See revision history located at the end of the post for changes. On September 14, 2021, Microsoft released fixes for three Elevation of Privilege (EoP) vulnerabilities and one unauthenticated Remote Code Execution (RCE) vulnerability in the Open Management Infrastructure (OMI) framework: CVE-2021-38645, CVE-2021-38649, CVE-2021-38648, and CVE-2021-38647, respectively.

DARKReading: Latest News

Iranian APT Group Targets IP Cameras, Extends Attacks Beyond Israel