> Duffy found a package labelled PrepareRHUI (Red Hat Update Infrastructure) that runs on all Azure RHEL boxes, and contains the rhui-monitor.cloud build host.
> Duffy accessed that host and found it had broken username and password authentication. This allowed him to access a backend log collector application which returned logs and configuration files along with a SSL certificate that granted full administrative access to the four Red Hat Update Appliances.
> Duffy says all Azure RHEL images are configured without GPG validation checks meaning all would accept malicious package updates on their next run of yum updates.
Microsoft shuttered access to rhui-monitor.cloud and rotated secrets to close the hole.
Unsure what "shuttered access" means, sounds like marketing speak ... while we are at it, does rotate secrets mean, like, change username, password, and certificate ?
I guess we will have to wait until somebody creates the right package and 0wns all Azure RedHat instances for them to lookup what GPG stands for ...
Why anybody would leave IT in the hands of the cretins over in Redmond is beyond me ...