Microsoft Update Servers Left All Azure RHEL Instances Hackable (theregister.co.uk)

← Back to Stories (view on slashdot.org)

Microsoft Update Servers Left All Azure RHEL Instances Hackable (theregister.co.uk)

Posted by msmash on Monday November 28, 2016 @06:00AM from the feed-and-speed dept.

An anonymous reader shares a report on The Register: Microsoft has patched flaws that attackers could exploit to compromise all Azure Red Hat Enterprise Linux (RHEL) instances. Software engineer Ian Duffy found the flaws while building a secure RHEL image for Microsoft Azure. During that process he noticed an installation script Azure uses in its preconfigured RPM Package Manager contains build host information that allows attackers to find all four Red Hat Update Appliances which expose REST APIs over HTTPS. From there Duffy found a package labeled PrepareRHUI (Red Hat Update Infrastructure) that runs on all Azure RHEL boxes, and contains the rhui-monitor.cloud build host. Duffy accessed that host and found it had broken username and password authentication. This allowed him to access a backend log collector application which returned logs and configuration files along with a SSL certificate that granted full administrative access to the four Red Hat Update Appliances. Duffy says all Azure RHEL images are configured without GPG validation checks meaning all would accept malicious package updates on their next run of yum updates.

35 comments

Min score:

Reason:

Sort:

XYZ PDQ by Anonymous Coward · 2016-11-28 06:03 · Score: 0

Oh, Microsoft. Welcome to Monday!
Moral of story: MSFT fixes things by nadass · 2016-11-28 06:08 · Score: 0

So their setup was a little too 'open' for open-source advocates. They closed access and rotated security keys. Problem solved.
1. Re:Moral of story: MSFT fixes things by 110010001000 · 2016-11-28 06:10 · Score: 1
  
  They locked the vault door after the money was stolen. Problem solved.
2. Re:Moral of story: MSFT fixes things by Anonymous Coward · 2016-11-28 06:19 · Score: 0
  
  They locked the vault door after the money was stolen. Problem solved.
  Too bad they didn't lock it before the guy's wife was murdered, then he wouldn't have had to spend his life searching for his kid.
  (oh wait...he just didn't care enough to look)
3. Re:Moral of story: MSFT fixes things by Anonymous Coward · 2016-11-28 06:20 · Score: 1
  
  Moral of the story: Microsoft got caught backdooring their Azure instances on behalf of the government. Shill all you want, you fucking whore, in the end you'll burn like the rest.
4. Re:Moral of story: MSFT fixes things by Anonymous Coward · 2016-11-28 06:25 · Score: 1
  
  They locked the vault door after the money was stolen. Problem solved.
  Too bad they didn't lock it before the guy's wife was murdered, then he wouldn't have had to spend his life searching for his kid.
  (oh wait...he just didn't care enough to look)
  No, no, no!
  That was OJ! It was OJ who said he was going to spend the rest of his life looking for Nicole's killer.
  Obviously, OJ thought Nicole's killer was a golfer who spent most of his time on Florida golf courses. OJ was right, too.
5. Re:Moral of story: MSFT fixes things by Anonymous Coward · 2016-11-28 06:48 · Score: 0
  
  So your saying MS is Backdooring RHEL. Developed by Redhat - who's biggest contractor is the DoD. RHEL that forces a monolithic pid 1 init system that, and I quote, "We have commit to and you don't"? RHEL that implements SELinux as designed by the NSA.
  Yes. MS in the reason your azure instance has governmental back doors.
6. Re:Moral of story: MSFT fixes things by fuzznutz · 2016-11-28 07:06 · Score: 1
  
  No, no, no!
  That was OJ! It was OJ who said he was going to spend the rest of his life looking for Nicole's killer.
  Obviously, OJ thought Nicole's killer was a golfer who spent most of his time on Florida golf courses. OJ was right, too.
  Cut the Juice some slack. He's trying harder. He's infiltrated a prison doing recon. Now that's selflessness.
7. Re: Moral of story: MSFT fixes things by buchanmilne · 2016-11-28 07:38 · Score: 1
  
  "So your saying MS is Backdooring RHEL."
  No, only instances built from the default Azure template.
  (And this is one of those problems of 'cloud', you outsource some of your host security in the name of convenience)
8. Re: Moral of story: MSFT fixes things by Anonymous Coward · 2016-11-28 11:40 · Score: 0
  
  Cant read and suck dick at thevsame time shill? Try again. You read what you wanted to read.
If you want an RHEL cloud server... by unixisc · 2016-11-28 06:09 · Score: 1

... why would you go to Microsoft, instead of Amazon or someone else? Doesn't Red Hat have any cloud services?
1. Re:If you want an RHEL cloud server... by Anonymous Coward · 2016-11-28 06:26 · Score: 2, Informative
  
  They do it because Microsoft, with a laughably inferior cloud offering, resorts to FUD, bribery, and extortion to force companies to migrate to Azure.
  These companies usually endure it for a couple of years then migrate back.
2. Re:If you want an RHEL cloud server... by Anonymous Coward · 2016-11-28 06:29 · Score: 0
  
  1. If you have an existing account with Azure and would like to try something before fully switching over
  2. Setting up and managing additional enterprise account is not free
  3. ToS are different and you like Azure ToS better than others
  4. SLA agreements and remediation
  5. Keeping servers on same network vs setting up VPN and firewalls
3. Re:If you want an RHEL cloud server... by Anonymous Coward · 2016-11-28 06:32 · Score: 0
  
  ... why would you go to Microsoft, instead of Amazon or someone else? Doesn't Red Hat have any cloud services?
  because azure is genuinely a solid competitor to aws
4. Re:If you want an RHEL cloud server... by Anonymous Coward · 2016-11-28 07:14 · Score: 0
  
  ... why would you go to Microsoft, instead of Amazon or someone else? Doesn't Red Hat have any cloud services?
  Why would I go to an online discount shopping mall for my servers, and no they don't.
5. Re:If you want an RHEL cloud server... by Skuld-Chan · 2016-11-28 07:14 · Score: 0
  
  Microsoft's management ui for their cloud services is actually really quite nice. Plus if you already have a paid developer account - you get a decent amount of time for free on Azure.
6. Re:If you want an RHEL cloud server... by Anonymous Coward · 2016-11-28 09:45 · Score: 0
  
  While I agree Microsoft guys are (sometimes) great at doing UIs, the people running their businesses in the cloud tend to focus on the service quality, availability and security. And that's why running yours in Azure is a bad idea, unless of course your business is so tied to Microsoft tech that you cannot use anything else. That's another problem, though.
7. Re:If you want an RHEL cloud server... by ahabswhale · 2016-11-29 13:11 · Score: 1
  
  Azure is a joke compared to AWS. It's not even in the same league. AWS is better in almost every way. Be serious.
  
  --
  Are agnostics skeptical of unicorns too?
MS security sucks, dog bites man, water is wet by Anonymous Coward · 2016-11-28 06:16 · Score: 0

And the sky is blue.
1. Re:MS security sucks, dog bites man, water is wet by guestapoo · 2016-11-28 06:35 · Score: 1
  
  MS security sucks, dog bites man, water is wet, and the sky is Azure (no clouds) - FTFY
You'd think MS would have better quality assurance by TheDarkener · 2016-11-28 06:24 · Score: 4, Funny

Just kidding.

--
It is pitch black. You are likely to be eaten by a grue.
I toldja so! by Anonymous Coward · 2016-11-28 06:34 · Score: 0

They should have used Linux, I mean their Linux should have used Windows, I mean ... dammit, my fanboy gland is confused.
Help! I'm locked into a Windows shop... by __aaclcg7560 · 2016-11-28 06:41 · Score: 1

Is the Red Hat Certification any good for Linux jobs?
Everyone should learn from pilots... by WoodstockJeff · 2016-11-28 06:47 · Score: 2

... that clouds are places to hide big rocks.
Microsoft sucks at Linux! by Anonymous Coward · 2016-11-28 08:02 · Score: 0

Don't everyone die of shock!
Serious Issue / Not the End of the World by dave562 · 2016-11-28 08:13 · Score: 1

While this is a serious flaw and it is good to know that it has been fixed, it is easily avoidable. I can't speak for other Azure customers, but my organization does not use the default Microsoft OS images. We provide our own. If there is an issue in our base builds, it is because our internal security team screwed up.
Azure is an okay platform, but it is also a very new platform. The old adage of "Trust but verify." definitely applies.
I mostly trust that Microsoft can put together a clean Windows Server build, but we still bring our own. I would not trust Microsoft to secure a Linux build.
1. Re:Serious Issue / Not the End of the World by BlueStrat · 2016-11-28 08:54 · Score: 2
  
  I would not trust Microsoft to secure a Linux build.
  This^^^
  I can understand a business using Azure, but using MS-built RHEL images? Particularly when this is a relatively-new service/product MS offers? I'd think any competent admins at these companies would have been extremely wary given the MS track record on new builds of even their own code, never mind a linux system. I know I'd have kicked up a fuss and insisted on thorough testing and vetting of these builds before rolling them out to production servers. Maybe many did but were overruled by PHBs. In either case I'd fault these companies who didn't verify the builds more than MS. I mean, it's MS...you *expect* that crap! Or, at least one should.
  Strat
  
  --
  Progressivism (aka US 'Liberalism'): Ideas so good they need a police/surveillance-state to enforce.
2. Re:Serious Issue / Not the End of the World by dave562 · 2016-11-28 10:05 · Score: 2
  
  I mean, it's MS...you *expect* that crap! Or, at least one should.
  Exactly. I say this all the time, "If Microsoft always got things right, I would be out of a job."
Really by Anonymous Coward · 2016-11-28 09:41 · Score: 0

Of course nobody being serious would even think of running their linux based business machines on microsoft services. Windows azure is great, great for those still in the active directory or echange lock in. Not for non-ms tech.
NSA Moles doing their job by Anonymous Coward · 2016-11-28 10:30 · Score: 0

It's good to see that the usual NSA moles in MS are still doing a bang-up job.
Next thing to look out for, with Trump in control, is OS10 fiddling with search results to only deliver search results that paint Trump and Putin in a good light, orange light but good light.
Microsoft errs fucking Linux by Anonymous Coward · 2016-11-28 13:35 · Score: 0

An error ... really ? M$ hurting Linux to the core !! Surprised you say ??? Kinda like assuming that H1-B chi.com coder you just hired doesn't work for Chinese Intellegence Services !
Because by ald_a · 2016-11-28 23:36 · Score: 2

Microsoft loves Linux