[HN Gopher] "Worst cloud vulnerability you can imagine" discover...
___________________________________________________________________
"Worst cloud vulnerability you can imagine" discovered in Microsoft
Azure
Author : fortran77
Score : 226 points
Date : 2021-08-29 14:49 UTC (8 hours ago)
(HTM) web link (arstechnica.com)
(TXT) w3m dump (arstechnica.com)
| mirekrusin wrote:
| What kind of private key is it, and can it be called _private_
| key if it exists remotely?
| oaiey wrote:
| It's private in the tenant. A SSL certificate encrypted web
| server also has the private key in the remote machine.
| Potentially hosting millions of other pages.
| doliveira wrote:
| It's even hard to imagine how this might have happened. Is the
| service a shared Jupyter server (or group thereof) that somehow
| has access to everything and it's within this service that the
| access/authorization is implemented? I wouldn't expect IAM to
| work this way in a cloud service
|
| I don't know how these security boundaries are usually
| implemented, but I would expect this bug to be way less
| plausible. Isn't this an architectural smell?
| muststopmyths wrote:
| I'm curious if Microsoft is suffering from a massive loss of
| generational expertise. At least right after XP we had to go
| through a security standdown where all code was reviewed and
| audited throughout the company. Subsequent features and services
| had to go through a pretty thorough security review at design
| time as well.
|
| Over the past few years the number of security fiascos has been
| increasing. Is the internal Security team (forget what the org
| was called) dead now ?
|
| I'm sure lack of dedicated testing is also a major factor, but do
| launches no longer have to satisfy a security review ? Maybe in
| the name of agile development ?
| bink wrote:
| I think this is more of an industry problem than a Microsoft
| problem. This was a feature added onto an existing service. The
| old waterfall method of security approvals might have caught
| this, but for most orgs that has gone the way of the dodo (and
| probably for the better).
|
| Cosmos DB probably went through security review during the
| design phase and then again regularly as the code was written
| and improved. The Jupyter notebook functionality was also
| likely reviewed by security teams during the design, testing,
| and implementation phases. But once you're through those
| approvals most security review is going to be done via
| automated tooling with only occasional re-reviews and
| penetration testing at scheduled intervals. Automated testing
| is great at detecting vulnerabilities that have been discovered
| in the past, but really not good at detecting new classes of
| vulnerabilities, hard-to-detect authorization vulnerabilities,
| or how code integrates with other services.
|
| Once the initial approval and code reviews had been done
| developers would still be committing code to the service and
| each line of code is probably not receiving a manual code
| review. Vulnerabilities like this are hard to detect even with
| a manual review as the testing team may not have great
| knowledge of all interconnected services, especially if it's an
| outside vendor.
| mistrial9 wrote:
| this sounds reasonable but, in this case stealing a key and
| using it for a man-in-the-middle attack, is what happened
| bink wrote:
| Ah, really? Where did you find that info?
| stingraycharles wrote:
| At the time of XP, Microsoft had a fierce monopoly in the world
| and was absolutely dominating.
|
| I wouldn't be surprised if they started embracing the "ship
| fast" mentality with the cloud a bit more over the past years,
| in order to corner the market more quickly (which they did).
|
| Additionally, I can also imagine that the release processes for
| cloud are fundamentally different than something like an OS.
| With the cloud, there's a much larger mentality of releasing
| often, and it may be difficult to translate rigorous security
| audits to this workflow.
| Wistar wrote:
| One thing: Given the rise of MS stock in the recent past and
| the pandemic, I have seen many long-time MS folks decide to
| retire, especially in the last 10-12 months.
| foepys wrote:
| I'm wondering about this, too. There are so many things being
| redone from scratch that I'm scratching my head about the why.
| Maybe Microsoft lost so many engineers from the 90s that they
| don't have the people anymore that understand the old code.
| pmlnr wrote:
| Understanding old code rarely gets one promotions.
| ta988 wrote:
| The problem here is due to a lack of basic security
| practices. There is nothing related to old code, it is brand
| new code and infrastructure that was deployed without audit.
| redwood wrote:
| One thing is for sure, putting its astronomical revenue growth
| on the side, which presumably involves some fuzzy math... Azure
| is definitely the worst of the big three cloud providers
| gatvol wrote:
| AZURE seems to be trying to play catch up -at least in
| feature parity - with AWS and to some extent GCP. IMO this
| sort of outcome is inevitable when moving at speed. While
| they do seem to have some sort of feature parity (on the tin
| type) and some good ideas, many of the services they have a
| pretty half baked once you scratch the surface, plus they're
| expensive.
| karmakaze wrote:
| It's bothersome that they keep saying 'primary key' in regards to
| what seems to be an 'access key' relating to a database.
|
| Disappointing to see that it's arstechnica.
| mikeryan wrote:
| It's the term that MS uses, agree unfortunate name but you
| can't blame Ars.
|
| https://docs.microsoft.com/en-us/azure/cosmos-db/secure-acce...
| nuker wrote:
| You guys open DBs to internet?
| mikeryan wrote:
| If I had to guess I'd think the 30% of customers that Microsoft
| did notify we're the ones that didn't have access in some way
| secured via private network or IAM controls.
| edoceo wrote:
| Sure, some of them. But usually have a pgbouncer in front.
| arduinomancer wrote:
| Whenever stuff like this happens I see people saying there should
| be legal consequences for leaking data.
|
| By that logic should there be legal consequences for a company if
| someone breaks into their office and steals paper records?
| turminal wrote:
| This is more akin to leaving the door unlocked than to having a
| break in.
| ljm wrote:
| There already are consequences. Auditors will check the
| physical security of your office buildings if you're dealing
| with anything sensitive. If a breach happens later on and it
| turns out you cut corners on that physical security (or even
| somehow unwittingly compromised it) then you're not going to
| have a good time.
| vorpalhex wrote:
| If there is negligence involved, yes - an insecured building
| being broken into can absolutely have legal consequences.
|
| That computers are involved should not remove negligence as a
| possibility to recover damages.
| stan_rogers wrote:
| You mean like in bailment? That's a thing.
| doliveira wrote:
| If we're into bad physical analogies, I feel a better
| comparison would be the company itself sending an indexed copy
| of the records of all their clients and relying on ethics alone
| to keep someone from reading others' data.
| geofft wrote:
| https://www.law.cornell.edu/wex/negligence
| inetknght wrote:
| > _By that logic should there be legal consequences for a
| company if someone breaks into their office and steals paper
| records?_
|
| Comparing cloud storage and paper records is worse than
| comparing apples to oranges; it's comparing apples to celery.
| Sure they're both edible but they are vastly different
| organisms.
|
| And yes, there can be legal consequences for a company if
| someone breaks into their office and steals paper records.
| jereees wrote:
| An analogy of an analogy. Could somebody go one level deeper?
| Sanguinaire wrote:
| Comparing the original statement to the subsequent analogy
| is a bit like comparing an apple and an NFT of an apple...
| aranchelk wrote:
| It depends, in a regulated industry if you fail to do stuff
| like install a commercial firewall, keep facilities secured
| with proper door locks, etc. you may very well face fines or
| loss of a license to operate.
|
| I think when people talk about consequences, they're not
| regarding these companies as victims of crimes, rather as
| negligent actors.
| oefrha wrote:
| Dupe: https://news.ycombinator.com/item?id=28322550
| runnerup wrote:
| I always wonder if these types of vulnerabilities affect the most
| secret DoD contracts, or if those accounts are somehow sharded
| onto sufficiently separate systems/networks?
| jeffbee wrote:
| DoD only has idiotic requirements like there has to be a fence
| around their private racks, not useful requirements like the
| global database isn't open to the world.
| dharmab wrote:
| Azure runs their Gov and China clouds as separate
| infrastructures with separate capabilities.
| [deleted]
| reallydontask wrote:
| I'd guess that the azure us gov cloud defaults to stuff not
| being open to the web, so if you spin up an azure function this
| is only available internally, but this is a guess
| nonameiguess wrote:
| Nope. Look here (https://docs.microsoft.com/en-us/azure/azure-
| government/comp...) and search for Cosmos and you'll see this
| service is only approved for DoD Impact Level II systems. That
| is the lowest impact level the DoD offers and includes only
| systems exposed to the public, like the websites for recruiting
| and career descriptions. Any system handling controlled
| unclassified information or PII would not have been allowed to
| use this service.
|
| And when you're talking about "most secret" contracts, those
| are all classified systems, which are on totally separate
| networks in totally separate private data centers located on
| military installations. Unless you've figured out how to break
| strong symmetric encryption using hardware-generated, hardware-
| loaded, pre-shared keys controlled in military arms rooms, that
| means you need physical access. It doesn't necessarily mean you
| need to break into a military installation. You can always try
| to break into a contractor SCIF instead, but that still isn't
| all that easy. My wife once saw some AT&T contractors digging
| too close to the wrong fiber line at her facility when she was
| working for the Navy at a contractor site and unmarked black
| SUVs were there to take those guys away to God knows where
| within two minutes.
|
| That said, I don't doubt people try. When I was at Raytheon
| working at a secure facility, a Chinese company bought the
| property across the street, built a hotel at exactly the same
| height with windows facing us, and it was conspicuously almost
| always empty. I don't think demand for hotel rooms was
| financing that place.
| wiredfool wrote:
| Worst I can imagine would be this, but for active directory or
| IAM.
| sneak wrote:
| I think the worst vulnerability I can imagine is the USG having
| unfettered access to the entire db contents without a warrant,
| which is already the case with everything in Azure.
|
| This bug only seems to widen that vulnerability slightly, to
| those groups plus those with knowledge of this bug.
|
| Nothing in major US cloud providers can reasonably be expected to
| remain private, so I think this breathless headline is a little
| overblown.
| hollerith wrote:
| >the worst vulnerability I can imagine is the USG having
| unfettered access
|
| You cannot imagine any other party it would be worse to be
| vulnerable to?
| dennisblue wrote:
| No.
| bifrost wrote:
| Its the secret about "the cloud" that nobody wants to say.
| indigochill wrote:
| > Nothing in major US cloud providers can reasonably be
| expected to remain private
|
| I'd expand that to "Nothing in third-party cloud providers can
| reasonably be expected to remain private". If you don't have
| ultimate oversight of how the host of your data is managed,
| anything could be going on there, regardless what nationality
| of company is managing it or what promises their salespeople
| make.
| jb0x168 wrote:
| Further amended: nothing connected to the internet can
| reasonably be expected to remain private.
|
| Unless you have some secret kung-fu that makes your on-prem
| infrastructure hack-proof.
|
| The issue with the cloud is scale.
| jsjohnst wrote:
| > The issue with the cloud is scale
|
| I'd argue the issue with cloud is less about scale, more
| about how easy it is to get started. My mother could quite
| easily click through the account creation on a cloud
| provider and setup something insecure, but not a chance is
| she going to get a DC built with equipment racked or even a
| basic setup at a colo facility.
| Angostura wrote:
| So this vulnerability is worse than the worst you could imagine
| donmcronald wrote:
| $40k? Lol. I'm poor and I'd have to think twice about disclosing
| it for that. How many government lists does having the ability to
| discover that type of exploit get you on?
|
| I bet Microsoft would claim damages of $1+ billion if someone
| used that type of exploit maliciously by damaging data and
| undermining customer confidence in Azure.
|
| What a joke. This should pay $1+ million.
| cagenut wrote:
| The context you're missing here is the company/research-team
| that found this are ex-MS employees who started a company
| (Wiz.io) to help other companies secure their cloud
| hosting/environments. This is some of the most pure-gold viral
| content marketing they can dream of, they don't care about the
| $40k at all, its just to acknowledge this is non-trivial.
| doliveira wrote:
| That sounds like paying artists with "exposure".
| ufmace wrote:
| There is kind of a 2-sided argument here:
|
| 1. Small time cheap skate business owners sometimes try to
| cheat professional artists by "paying with exposure", when
| they have no meaningful audience or influence and therefore
| no meaningful exposure to give.
|
| 2. Sources that do genuinely have very large audiences and
| influence can infact give an artist so much exposure that
| it's worth far more than any reasonable direct payment
|
| This situation seems a lot more like 2 than 1. The company
| is in the business of helping companies secure their cloud
| environments, and these articles going around the tech
| press are being read by hundreds of thousands of people who
| are generally more interested in cloud security than a
| random person. They could spend many times the amounts
| discussed here on advertising and still not get their name
| in front of that many of the right people in a good
| context.
| doliveira wrote:
| Big or small company, I doubt they can pay the employees'
| salary with "exposure". They might have pratically
| infinite VC money for now, but that's an orthogonal
| discussion, just as "exposure" and being fairly
| compensated are.
|
| edit: and what about it had been a smaller company or
| individual researcher who wouldn't be able to gain as
| much from this publicity? Are you saying that Microsoft
| would have awarded them $ 500k? Because that's not the
| message sent with this reward. And frankly, even this
| discussion is kind of off-the-point because I doubt
| that's what they took into account when defining the
| money quantity.
| scrollaway wrote:
| Uh, yeah, maybe, I'm not sure how much this changes things to
| be honest. I fully agree with grandparent this is $1MM reward
| territory. (Edit: sibling put it really elegantly, this is
| pay-with-exposure justification)
|
| PR campaign or not, you don't spit on those kinds of rewards.
| And it's a bad look on MS to award 40k on one of the worst
| vulnerabilities to ever hit a cloud provider...
| woofie11 wrote:
| The context you're missing is it doesn't matter. Next person
| to discover a similar vulnerability in Azure will have a
| choice:
|
| 1. Disclose to Microsoft for $40k
|
| 2. Disclose to an intelligence agency for several times that
|
| 3. Disclose to criminals for several times that, in turn
|
| The incentives are now publicly known to be misaligned, and
| as a potential Azure customer, I have to contend with the
| simple reality that a significant number of vulnerabilities
| will be exploited rather than reported.
|
| $40k doesn't even come close to covering engineer time here.
| This should be a $1M payout.
| [deleted]
| didntknowya wrote:
| if you're only in it for the money i don't think white hat
| is your calling.
| jcims wrote:
| If companies have to outcompete criminals and intelligence
| agencies in the open market there will be no bug bounties,
| we'll just go back to the old way of doing things.
|
| The reality is that if an organization is using a managed
| database and doesn't have service-provider vulnerabilities
| as part of their threat model, they are naive and arguably
| negligent.
| woofie11 wrote:
| Mid-range engineer at big tech makes $350k / year. I
| think having a vulnerability like this go to Microsoft
| instead of criminals is easily worth a few engineer-
| years. A $1M payout is just not unreasonable or even
| difficult for a $2.5T corporation.
| jcims wrote:
| My point isn't that $40K is enough or $1M is too much,
| it's that pinning public payouts to the grey/black market
| is unsustainable. This bug could easily be worth $10M in
| the right hands, so why stop at 7 figures?
| throwaway739 wrote:
| You think Microsoft can't pay $10 million? Paying $40k
| means they don't give a shit about their customers.
| jcims wrote:
| Would you pay 100x as much for a service that is
| protected by that level of award?
| pojzon wrote:
| The reason you pay so little is to not encourage ppl to
| even start looking.
|
| Knowledge required to find stuff like that is very
| scarse. And you have to know where to look for.
|
| Chances to find something really big are so small that
| its not worth it to look for them finnancially.
|
| Thats why ppl don't do that often. They do it if they
| have long cooperation history with given company because
| they are treated as an employee.
|
| TL;DR is that you don't want to encourage ppl to start
| looking. All software has bugs, so its only a matter of
| time until someone finds something.
| cortesoft wrote:
| Options 2 and 3 pose a moral and physical risk. Money isn't
| the only factor.
| oaiey wrote:
| Because it is unethical and in most countries illegal :)
|
| But you are right. They should pay them more.
| donmcronald wrote:
| I wouldn't use it maliciously, but I would honestly think
| twice about disclosing it. I think that's especially true for
| anyone that doesn't have a way to gain from the publicity.
| RealStickman_ wrote:
| What would you use it for instead? 40k + recognition sounds
| way better than 0 and sitting on it.
| cortesoft wrote:
| This seems like a strange calculation... you think the
| scrutiny from being identified as talented enough to find
| this is bad enough to not be worth $40k + the reputation
| bump for your CV?
|
| That seems overly paranoid.
| didntknowya wrote:
| well the black market is always going to pay more. that's kinda
| why criminals tend to go there...
| YetAnotherNick wrote:
| The question is if this wouldn't have been reported what are
| the chances that this would have been exploited. Or what are
| the chances that Microsoft got saved from a hack in the wild
| from this knowing this vulnerability. If we assume that the
| codebase has one vulnerability for 10k lines, we would still
| get 10s of thousands of vulnerabilities. Any one of those could
| cost billion dollar to Microsoft, but patching one of those
| doesn't make the chance of getting hacked much different.
| Jyaif wrote:
| Maybe they have already sold the exploit months ago to
| everybody that would buy it?
| varispeed wrote:
| I am the only one who thinks these bounties are ridiculously low?
| They should at least add a couple of zeroes to that one. Just
| wow.
| m0zg wrote:
| Microsoft isn't helped by the fact that there are also FB and
| Google in town, and they pay at least 20% more and have better
| engineers to work with as well, which makes work far less
| aggravating. So MS gets FB/Google rejects at this point, and
| there's a constant brain drain on top of that. But their internal
| culture has always been, "if we pay managers well enough things
| will work out". This breaks down when you actually have to do
| something hard (rather than rearrange buttons on Office app
| toolbars), as managers aren't the ones who do the actual work.
___________________________________________________________________
(page generated 2021-08-29 23:02 UTC)