Tenable uncovers security flaw in OCI

Tenable researchers have discovered a new remote code execution vulnerability in Oracle Code Editor that could have allowed attackers to run malicious code on a server without the need for direct access.

The vulnerability enables threat actors to hijack a victim’s Cloud Shell environment, and potentially move across to other Oracle Cloud Infrastructure services. Once inside, an attacker could have executed arbitrary commands, accessed sensitive credentials, and pivoted to services such as Resource Manager, Functions and Data Science, opening the threat of broader system compromise or data exfiltration.

According to Tenable, the main issue was that the code editor’s file upload feature didn’t properly check if requests were coming from where they should, an oversight that could have allowed malicious websites to trick a user’s browser into uploading harmful files without the user’s knowledge.

Oracle has remediated the vulnerability after being informed of it, but Tenable Senior Security Researcher Liv Matan said the vulnerability is an example of what her company has termed the Jenga concept of cloud security, or the tendency of providers to build services on top of one another resulting in security risks in one layer cascading into other services.

“Similar to the game of Jenga, extracting one block can compromise the integrity of the whole structure,” she said. “Cloud services, especially with their deep integrations and shared environments, function similarly; if a hidden integration or shared environment introduces a weakness, those risks can cascade into dependent services, significantly increasing the potential for security breaches.

“Our OCI research underscores the critical importance of scrutinising these interconnected systems.”

Image credit: iStock.com/weerapatkiatdumrong