Microsoft Update Servers Left All Azure RHEL Instances Hackable (theregister.co.uk) 35
An anonymous reader shares a report on The Register: Microsoft has patched flaws that attackers could exploit to compromise all Azure Red Hat Enterprise Linux (RHEL) instances. Software engineer Ian Duffy found the flaws while building a secure RHEL image for Microsoft Azure. During that process he noticed an installation script Azure uses in its preconfigured RPM Package Manager contains build host information that allows attackers to find all four Red Hat Update Appliances which expose REST APIs over HTTPS. From there Duffy found a package labeled PrepareRHUI (Red Hat Update Infrastructure) that runs on all Azure RHEL boxes, and contains the rhui-monitor.cloud build host. Duffy accessed that host and found it had broken username and password authentication. This allowed him to access a backend log collector application which returned logs and configuration files along with a SSL certificate that granted full administrative access to the four Red Hat Update Appliances. Duffy says all Azure RHEL images are configured without GPG validation checks meaning all would accept malicious package updates on their next run of yum updates.
Re: (Score:2)
Re: (Score:1)
They locked the vault door after the money was stolen. Problem solved.
Too bad they didn't lock it before the guy's wife was murdered, then he wouldn't have had to spend his life searching for his kid.
(oh wait...he just didn't care enough to look)
No, no, no!
That was OJ! It was OJ who said he was going to spend the rest of his life looking for Nicole's killer.
Obviously, OJ thought Nicole's killer was a golfer who spent most of his time on Florida golf courses. OJ was right, too.
Re: (Score:2)
No, no, no!
That was OJ! It was OJ who said he was going to spend the rest of his life looking for Nicole's killer.
Obviously, OJ thought Nicole's killer was a golfer who spent most of his time on Florida golf courses. OJ was right, too.
Cut the Juice some slack. He's trying harder. He's infiltrated a prison doing recon. Now that's selflessness.
Re: (Score:1)
Moral of the story: Microsoft got caught backdooring their Azure instances on behalf of the government. Shill all you want, you fucking whore, in the end you'll burn like the rest.
Re: Moral of story: MSFT fixes things (Score:2)
"So your saying MS is Backdooring RHEL."
No, only instances built from the default Azure template.
(And this is one of those problems of 'cloud', you outsource some of your host security in the name of convenience)
If you want an RHEL cloud server... (Score:2)
Re: (Score:2, Informative)
They do it because Microsoft, with a laughably inferior cloud offering, resorts to FUD, bribery, and extortion to force companies to migrate to Azure.
These companies usually endure it for a couple of years then migrate back.
Re: (Score:2)
Azure is a joke compared to AWS. It's not even in the same league. AWS is better in almost every way. Be serious.
Re: (Score:1)
Microsoft's management ui for their cloud services is actually really quite nice. Plus if you already have a paid developer account - you get a decent amount of time for free on Azure.
Re: (Score:2)
You'd think MS would have better quality assurance (Score:5, Funny)
Just kidding.
Help! I'm locked into a Windows shop... (Score:2)
Everyone should learn from pilots... (Score:3)
... that clouds are places to hide big rocks.
Serious Issue / Not the End of the World (Score:2)
While this is a serious flaw and it is good to know that it has been fixed, it is easily avoidable. I can't speak for other Azure customers, but my organization does not use the default Microsoft OS images. We provide our own. If there is an issue in our base builds, it is because our internal security team screwed up.
Azure is an okay platform, but it is also a very new platform. The old adage of "Trust but verify." definitely applies.
I mostly trust that Microsoft can put together a clean Windows Server
Re: (Score:3)
I would not trust Microsoft to secure a Linux build.
This^^^
I can understand a business using Azure, but using MS-built RHEL images? Particularly when this is a relatively-new service/product MS offers? I'd think any competent admins at these companies would have been extremely wary given the MS track record on new builds of even their own code, never mind a linux system. I know I'd have kicked up a fuss and insisted on thorough testing and vetting of these builds before rolling them out to production servers. Maybe many did but were overruled by PHBs. In eit
Re: (Score:3)
I mean, it's MS...you *expect* that crap! Or, at least one should.
Exactly. I say this all the time, "If Microsoft always got things right, I would be out of a job."
Because (Score:2)
Microsoft loves Linux