This is part-1 of a 2 part series that introduces the cloud and the types of threats and cloud security issues that opens the web application to compromisation. The following post addresses hypervisor breakouts, also known as VM escape.
Cloud computing is the technology that equips the organizations to fabricate products and services for both internal and external usage. It is one of the exceptional shifts in the I.T industry that many of us are likely to witness in our lifetimes. However, to align both; the business and operational goals, cloud security issues must be addressed by governance and not just treated as a technical issue.
Essentially, the cloud combines resources such as central processing unit (CPU), Memory, Hard Drives and places them into a virtualized pool. Consumers of the cloud can access the virtualized pool of resources and can allocate them in accordance to the requirement. Upon completion of the task, the assets are released back into the pool for future use.
Cloud computing represents a shift from a server-service based approach, eventually, offering significant gains to business. However, these gains are often eroded when the business’s valuable assets, such as web application, become vulnerable to the plethora of cloud security threats, which are like a fly in the ointment.
Although cloud adoption is expanding but there are heaps of hesitation with security and data protection. To put it another way, the cloud represents a challenging environment for us to address since no one is on a secure island when it comes to cloud vulnerabilities. Cloud security issues are hitting web applications at a different magnitude and are getting sophisticated by the day.
However, clouds can be secure but the critical point is, are you using them securely? Good intentions alone might not ace the security. Besides, outsourcing the cloud does not mean outsourcing the responsibility of security within the cloud on all counts. Therefore, it’s all about striking the balance between security and value.
Cloud Threat Introduction
The shared on-demand nature of cloud computing introduces a number of cloud security issues, such as data breaches, credential and access management, data loss, shared technology vulnerabilities, denial of service, insecure application programming interface (APIs), system and application vulnerabilities to advanced persistent threats (APTs) just to name a few.
Attacks such as botnets and APTs have become like a needle in the haystack and therefore handcuffs the preventive measures. This is compounded by the fact that most organizations have shoestring budgets for allocation of the security solutions. Within the cloud, there has been a long list of web application vulnerabilities. For example and more recently, a subscription-based collection of online service company became susceptible to XSS and Path Traversal with the cloud.
Asymmetric application-level DoS attacks target vulnerabilities feasting in the web servers and the other cloud resources. This allows the grass to grow under the feet since it sanctions the bad actor to take down the web application with just a single small payload. In some cases, the payload can be of less than 100 bytes.
In 2011, one Tier 1 cloud provider allowed Hypertext Transfer Protocol (HTTP) PUT to the web root. As a result, it enabled the arbitrary file uploads. The same cloud provider became wide open to the well-known brute force attack. As tested by an external cloud security company, the attackers were able to process up to 3.5 million attempts on account login without the cloud provider locking the account. There were no password complexity restrictions, allowing the consumers to use only five regular numbers for their password. As we have already discussed earlier in < Link to previous blog > , the bad actor does not need a grand level of technicality to formulate a brute force attack and cut the ground from under the feet.
Types of Cloud Security Issues
The cloud provider is open to a number of vulnerabilities and for a start, you may detect vulnerabilities in the actual cloud’s underlying infrastructure, that forms the building blocks for all its services. If the cloud is a virtualized environment, which it is most probably, you will have hypervisor vulnerabilities.
The hypervisor is the software that creates the virtual machines, which are then orchestrated by the cloud controller. There may also be vulnerabilities in the storage, network and management (API’s) of the cloud’s infrastructure.
Introducing Hypervisor Breakouts
The “hypervisor breakout” is a class of vulnerability, which enables a consumer of the cloud to “get out” of their virtual machine (VM) and access another VM belonging to a different consumer that is on the same hypervisor. This was first seen in 2007 with the VM shared folder feature. The shared folder feature enables you to incorporate a shared folder between the host system and VM, which is useful if you want to share files between VM and host.
In 2009, VMware Cloudburst demonstrated a full hypervisor breakout. This vulnerability exploited VMware ESX server, which gave full access to all the VMs on the hypervisor controlled by that ESX server. More recently, we are seeing hypervisor vulnerabilities in various Xen, QEMU and Hyper-V hypervisors. Disclosed by Google’s Project Zero team, Meltdown and Spectre were hitting vulnerabilities, thereby, affecting nearly every computer chip manufactured in the last 20 years.
At this moment in time, there is no hardware fix for Spectre and the only approach is to secure your application. If your cloud runs on bare metal and does not share processors or memory, then you are safeguarded. However, many cloud infrastructures are not architected this way and are hence susceptible to these two newfangled vulnerabilities.
You can now buy hypervisor breakouts, which are called “VM Escape” and get paid up to $50,000 for each vulnerability. Astonishingly, this might not be a lot of money in comparison to finding an Apple IOS vulnerabilities, which would fetch up to $1,000,000.
This is a Security Bloggers Network syndicated blog post authored by Matt Conran. Read the original post at: Web Security Blog – Acunetix