back to article Microsoft update servers left all Azure RHEL instances hackable

Microsoft has patched flaws that attackers could exploit to compromise all Azure Red Hat Enterprise Linux (RHEL) instances. Software engineer Ian Duffy found the flaws while building a secure RHEL image for Microsoft Azure. During that process he noticed an installation script Azure uses in its preconfigured RPM Package …

  1. bombastic bob Silver badge
    Devil

    That would be the 'Extinguish' part, right?

    Making *ALL* RHEL VM's in the Azure cloud 'crackable' by malicious actors... that would be the 'Extinguish' part of "Embrace, Extend, Extinguish", right?

    1. Anonymous Coward
      Anonymous Coward

      Re: That would be the 'Extinguish' part, right?

      And what's to suggest this hack to all RedHat Linux servers on Azure hasn't been done already...

    2. Lusty

      Re: That would be the 'Extinguish' part, right?

      Technically the embrace phase was partnering with Rad Hat in this instance so they do all support for their product in Azure. It's therefore likely this was a self inflicted wound by Red Hat rather than MS not setting it up correctly. Hopefully the Reg can be arsed to follow that up rather than just assuming MS did this.

      1. Anonymous Coward
        Anonymous Coward

        Re: That would be the 'Extinguish' part, right?

        Technically the embrace phase was partnering with Rad Hat in this instance so they do all support for their product in Azure. It's therefore likely this was a self inflicted wound by Red Hat rather than MS not setting it up correctly. Hopefully the Reg can be arsed to follow that up rather than just assuming MS did this.

        It's still MUCH more fun to blame Microsoft, though :)

      2. Roo
        Windows

        Re: That would be the 'Extinguish' part, right?

        "It's therefore likely this was a self inflicted wound by Red Hat rather than MS not setting it up correctly."

        That's pretty unlikely IMO given my experience of Red Hat support. However given my experience of Microsoft's approach to support, and their proven track record of prioritising "time to market" over all engineering concerns, I think it is far more likely that Microsoft's engineering staff have been ordered to roll out a RHEL on Azure Proof-of-Concept to production.

        Ultimately it's a Microsoft self-inflicted wound we're seeing here. As a potential customer I would be questioning the processes and financing of Azure at this point because their processes are clearly inadequate, their are clearly incompetent and they are clearly failing to budget enough for mitigation as well judging by the miserly bounty. Mistakes happen, but this is a production system folks - this kind of schoolboy config screw up should have been caught at the PoC/dev stage.

        1. Lusty

          Re: That would be the 'Extinguish' part, right?

          @Roo are you even aware of the publicly announced partnership where both companies stated as fact that Red Hat would carry out all support of their products on Azure personally using Red Hat staff in shared call centre facilities? Red Hat products weren't even available or supported on Azure before this announcement. There have been few if any vulnerabilities found in the other Azure services which were set up by MS.

          Your "experience" of Microsoft seems a little out of date too, but then MS have a long job to change perception there.

          1. Roo
            Windows

            Re: That would be the 'Extinguish' part, right?

            "publicly announced partnership where both companies stated as fact that Red Hat would carry out all support of their products on Azure personally using Red Hat staff in shared call centre facilities? "

            Yes.

            I am guessing that you understand that Support != Operate != Developing a Product. :)

            "There have been few if any vulnerabilities found in the other Azure services which were set up by MS."

            By the same token that doesn't necessarily mean that there aren't plenty to be found.

  2. Pascal Monett Silver badge

    $3500 for having found a risk of that magnitude ?

    Risk that MS was entirely responsible for due to shoddy security implementation ?

    For shame, Microsoft. He should get ten times that to start with, because if a blackhat had found that out and used it, the damage to your reputation would have been orders of magnitude higher.

    1. Adam 1 Silver badge

      Re: $3500 for having found a risk of that magnitude ?

      A blackhat could have mined bitcoin with every new instance of red hat on Azure, pushing a custom version of ps that hides the process and a custom version of ls that masks the version details of ps. Setting up a 24 hour "do nothing" on first start would make this really hard to detect as would throttling the computations to say 25% of the CPU in a low priority process.

      3500 is a joke given that risk.

      1. Korev Silver badge
        Pint

        Re: $3500 for having found a risk of that magnitude ?

        A blackhat could have mined bitcoin with every new instance of red hat on Azure, pushing a custom version of ps that hides the process and a custom version of ls that masks the version details of ps.

        Your idea suggests some excellent BOFHery skills Sir. Have a pint ->

    2. oiseau Silver badge
      FAIL

      Re: $3500 for having found a risk of that magnitude ?

      "... the damage to your reputation would have been orders of magnitude higher."

      Reputation?

      Microsoft's?

      Damage?

      You must be joking.

      Whatever reputation MS has is way beyond the possibility of further damage.

      And we all know it's been so for a long time.

      So it can be no surprise to anyone to get *this* for letting MS code inside your boxes.

      Cheers.

  3. Anonymous Coward
    Anonymous Coward

    Well, duh ..

    Microsoft has patched flaws that attackers could exploit to compromise all Azure Red Hat Enterprise Linux (RHEL) instances.

    And THAT, ladies and gentlemen, is why you don't want Microsoft code on your Linux machines. Keeping a Linux machine safe is not automatic, but it's manageable. Adding Microsoft-originated components to the mix is adding unnecessary risk. They don't code to the same quality and pay little attention to security but, to be fair, that's not unexpected. The last time they were near a Unix system was with Xenix.

    1. Anonymous Coward
      Anonymous Coward

      Re: Well, duh ..

      I'm kinda disappointed that Microsoft marketing hasn't downvoted my post yet. I feel neglected.

      :)

    2. oldcoder

      Re: Well, duh ..

      And then they laid off all the UNIX personnel, and for a time, I understand, even refused to hire people that had any contact with UNIX.

  4. Hans 1 Silver badge

    Problem description:

    > Duffy found a package labelled PrepareRHUI (Red Hat Update Infrastructure) that runs on all Azure RHEL boxes, and contains the rhui-monitor.cloud build host.

    > Duffy accessed that host and found it had broken username and password authentication. This allowed him to access a backend log collector application which returned logs and configuration files along with a SSL certificate that granted full administrative access to the four Red Hat Update Appliances.

    > Duffy says all Azure RHEL images are configured without GPG validation checks meaning all would accept malicious package updates on their next run of yum updates.

    Proposed solution:

    Microsoft shuttered access to rhui-monitor.cloud and rotated secrets to close the hole.

    Unsure what "shuttered access" means, sounds like marketing speak ... while we are at it, does rotate secrets mean, like, change username, password, and certificate ?

    I guess we will have to wait until somebody creates the right package and 0wns all Azure RedHat instances for them to lookup what GPG stands for ...

    Why anybody would leave IT in the hands of the cretins over in Redmond is beyond me ...

    1. oldcoder

      The BIG question is:

      Since this is a mandatory module, doesn't that imply that the SAME facility is on all the other VMs running on Azure?

      IF it does, then that implies the other VMs are ALSO vulnerable to the same/similar attack - each custom to the OS being hosted...

      And THAT should scare the pants off Microsoft management.

  5. nilfs2
    Windows

    They suck on the desktop, on the server, and now on the cloud

    and yet people keep throwing money at those monkeys for their shitty software

    1. Anonymous Coward
      Anonymous Coward

      Re: They suck on the desktop, on the server, and now on the cloud

      … and their low-end virtual Ubuntu images have really slow disk I/O.

      Using identical images (Docker) of InfluxDB, with virtual host configured as supplied by the hosting provider:

      - Vultr: >10000 points per second ingestion rate

      - Azure: <1000 points per second ingestion rate

      We'll be taking a look at that management tool though … see if the Ubuntu version is vulnerable to the same key exposure bug.

      1. Anonymous Coward
        Anonymous Coward

        Re: They suck on the desktop, on the server, and now on the cloud

        Yep… slightly different place but …

        root@host:~# head /var/lib/waagent/Microsoft.OSTCExtensions.LinuxDiagnostic-2.3.9015/xmlCfg.xml

        <MonitoringManagement eventVersion="2" namespace="" timestamp="2014-12-01T20:00:00.000" version="1.0">

        <Accounts>

        <Account account="…" decryptKeyPath="/var/lib/waagent/….prv" isDefault="true" key="biglonghexstring" moniker="moniker" tableEndpoint="https://…/" />

        I wonder if that's the key that is being referred to?

  6. JCitizen
    Megaphone

    Azure horrid experience..

    I've had clients who were attacked by nation state and industrial espionage bad actors the minute Azure was instituted. Two of their businesses were destroyed by this. We could not get cooperation from Microsoft on the obvious breaches and disreputable users there to save our souls. I have nothing good to say about that program at all.

    One of them was so badly compromised that only snail mail worked to contact Microsoft, and they were no help.

  7. W. Anderson

    Mirosoft shenanigans again

    Microsoft supporters need to take note - seriously, that the vulnerabilities referenced are for Redhat Enterprise Servers running "under" Microsoft Azure Cloud Services, which do not exist in Amazon AWS or OpenStack Cloud Computing Services from Redhat. Oracle, AT&T, Cisco, Intel, IBM, Ericsson, Citrix, Fujitsu, HPE, NEC or any of the other one hundred plus largest Cloud computing services based on Redhat Linux.

    There is no level of stupidity to which Microsoft clowns will not sink in attempting to make case for Microsoft, when even Microsoft has concluded and admitted "publicly" it's strong, albeit almost total dependence on Linux and Free/Open Source Software (FOSS) for all it's networking infrastructure.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019