Customers using virtual machines in the cloud can enable far more advanced features than in on-premises environments, such as log collection, apply automatic updates, sync configurations and more. However, most customers are not necessarily aware that enabling these features can often result in the silent installation of an agent.
Cloud service providers install proprietary software on customers’ virtual machines typically without the customer’s awareness or explicit consent. This cloud middleware software, which bridges customers’ virtual machines and cloud providers’ managed services, can introduce new potential attack surface unbeknownst to cloud customers due to the implicit manner in which it is installed. Moreover, when a new vulnerability is discovered in cloud middleware software, and there is uncertainty about who is responsible for updating it, customers are left exposed to critical vulnerabilities.
This topic, which we will present at RSA Conference 2022, builds upon our previous study on the Azure Open Management Infrastructure (OMI) agent and the OMIGOD findings - a set of vulnerabilities found and published in September 2021. This research included Remote Command Execution as root affecting a secretly installed Azure agent OMI. The vulnerabilities affected countless Azure customers and there was also evidence of the vulnerabilities being exploited in the wild.
Azure silently installed OMI without customer awareness or explicit consent. When Microsoft released the patch for the vulnerabilities we reported, it was initially the customers’ responsibility to update all the OMI installations in their environments. Simply put, customers were expected to update an agent which they were not aware was installed in their environment.
The use of agents to integrate virtual machines to the cloud is not limited to Azure. During our research, we discovered that cloud middleware software is being used across major cloud providers. This type of software, which can expose customers to local privilege escalation attacks, or even worse, to remote command execution vulnerabilities - is unknown to customers and is therefore disregarded. When the cloud provider fails to update such software, the customer is left at risk.
It is likely, based on our investigation, that there are more agents of which security researchers and cloud customers are unaware.
Cloud users need to be vigilant of cloud service provider software installed in their environment. It is important to document where this type of software is installed and study the potential risks, as organizations typically do when installing third-party software. In the absence of visibility into this software, cloud users cannot assess the risk of cloud agents. Therefore, we believe the best way to create a better and more secure environment for customers is by asking cloud vendors to be transparent about the cloud middleware software used to integrate customers' virtual machines with other cloud services.
To immediately address the increasing risk of cloud middleware, Wiz has launched a community-driven GitHub page to map all the agents that cloud providers are installing on customers' machines along with the additional attack surface they introduce. This GitHub page will give cloud customers the power to understand the security risks posed by certain cloud services.
Mapping all the agents that cloud providers are installing is not a trivial task. We call on the entire security community to help us achieve this ambitious goal by contributing and helping us keep this database updated.
We encourage you to check out our GitHub page, share it with your colleagues, and help us in our effort to create a better and more secure cloud.