Microsoft Update Servers Left All Azure RHEL Instances Hackable (theregister.co.uk)

← Back to Stories (view on slashdot.org)

Microsoft Update Servers Left All Azure RHEL Instances Hackable (theregister.co.uk)

Posted by msmash on Monday November 28, 2016 @06:00AM from the feed-and-speed dept.

An anonymous reader shares a report on The Register: Microsoft has patched flaws that attackers could exploit to compromise all Azure Red Hat Enterprise Linux (RHEL) instances. Software engineer Ian Duffy found the flaws while building a secure RHEL image for Microsoft Azure. During that process he noticed an installation script Azure uses in its preconfigured RPM Package Manager contains build host information that allows attackers to find all four Red Hat Update Appliances which expose REST APIs over HTTPS. From there Duffy found a package labeled PrepareRHUI (Red Hat Update Infrastructure) that runs on all Azure RHEL boxes, and contains the rhui-monitor.cloud build host. Duffy accessed that host and found it had broken username and password authentication. This allowed him to access a backend log collector application which returned logs and configuration files along with a SSL certificate that granted full administrative access to the four Red Hat Update Appliances. Duffy says all Azure RHEL images are configured without GPG validation checks meaning all would accept malicious package updates on their next run of yum updates.

16 of 35 comments (clear)

Min score:

Reason:

Sort:

If you want an RHEL cloud server... by unixisc · 2016-11-28 06:09 · Score: 1

... why would you go to Microsoft, instead of Amazon or someone else? Doesn't Red Hat have any cloud services?
1. Re:If you want an RHEL cloud server... by Anonymous Coward · 2016-11-28 06:26 · Score: 2, Informative
  
  They do it because Microsoft, with a laughably inferior cloud offering, resorts to FUD, bribery, and extortion to force companies to migrate to Azure.
  These companies usually endure it for a couple of years then migrate back.
2. Re:If you want an RHEL cloud server... by ahabswhale · 2016-11-29 13:11 · Score: 1
  
  Azure is a joke compared to AWS. It's not even in the same league. AWS is better in almost every way. Be serious.
  
  --
  Are agnostics skeptical of unicorns too?
Re:Moral of story: MSFT fixes things by 110010001000 · 2016-11-28 06:10 · Score: 1

They locked the vault door after the money was stolen. Problem solved.
Re:Moral of story: MSFT fixes things by Anonymous Coward · 2016-11-28 06:20 · Score: 1

Moral of the story: Microsoft got caught backdooring their Azure instances on behalf of the government. Shill all you want, you fucking whore, in the end you'll burn like the rest.
You'd think MS would have better quality assurance by TheDarkener · 2016-11-28 06:24 · Score: 4, Funny

Just kidding.

--
It is pitch black. You are likely to be eaten by a grue.
Re:Moral of story: MSFT fixes things by Anonymous Coward · 2016-11-28 06:25 · Score: 1

They locked the vault door after the money was stolen. Problem solved.
Too bad they didn't lock it before the guy's wife was murdered, then he wouldn't have had to spend his life searching for his kid.
(oh wait...he just didn't care enough to look)
No, no, no!
That was OJ! It was OJ who said he was going to spend the rest of his life looking for Nicole's killer.
Obviously, OJ thought Nicole's killer was a golfer who spent most of his time on Florida golf courses. OJ was right, too.
Re:MS security sucks, dog bites man, water is wet by guestapoo · 2016-11-28 06:35 · Score: 1

MS security sucks, dog bites man, water is wet, and the sky is Azure (no clouds) - FTFY
Help! I'm locked into a Windows shop... by __aaclcg7560 · 2016-11-28 06:41 · Score: 1

Is the Red Hat Certification any good for Linux jobs?
Everyone should learn from pilots... by WoodstockJeff · 2016-11-28 06:47 · Score: 2

... that clouds are places to hide big rocks.
Re:Moral of story: MSFT fixes things by fuzznutz · 2016-11-28 07:06 · Score: 1

No, no, no!
That was OJ! It was OJ who said he was going to spend the rest of his life looking for Nicole's killer.
Obviously, OJ thought Nicole's killer was a golfer who spent most of his time on Florida golf courses. OJ was right, too.
Cut the Juice some slack. He's trying harder. He's infiltrated a prison doing recon. Now that's selflessness.
Re: Moral of story: MSFT fixes things by buchanmilne · 2016-11-28 07:38 · Score: 1

"So your saying MS is Backdooring RHEL."
No, only instances built from the default Azure template.
(And this is one of those problems of 'cloud', you outsource some of your host security in the name of convenience)
Serious Issue / Not the End of the World by dave562 · 2016-11-28 08:13 · Score: 1

While this is a serious flaw and it is good to know that it has been fixed, it is easily avoidable. I can't speak for other Azure customers, but my organization does not use the default Microsoft OS images. We provide our own. If there is an issue in our base builds, it is because our internal security team screwed up.
Azure is an okay platform, but it is also a very new platform. The old adage of "Trust but verify." definitely applies.
I mostly trust that Microsoft can put together a clean Windows Server build, but we still bring our own. I would not trust Microsoft to secure a Linux build.
1. Re:Serious Issue / Not the End of the World by BlueStrat · 2016-11-28 08:54 · Score: 2
  
  I would not trust Microsoft to secure a Linux build.
  This^^^
  I can understand a business using Azure, but using MS-built RHEL images? Particularly when this is a relatively-new service/product MS offers? I'd think any competent admins at these companies would have been extremely wary given the MS track record on new builds of even their own code, never mind a linux system. I know I'd have kicked up a fuss and insisted on thorough testing and vetting of these builds before rolling them out to production servers. Maybe many did but were overruled by PHBs. In either case I'd fault these companies who didn't verify the builds more than MS. I mean, it's MS...you *expect* that crap! Or, at least one should.
  Strat
  
  --
  Progressivism (aka US 'Liberalism'): Ideas so good they need a police/surveillance-state to enforce.
2. Re:Serious Issue / Not the End of the World by dave562 · 2016-11-28 10:05 · Score: 2
  
  I mean, it's MS...you *expect* that crap! Or, at least one should.
  Exactly. I say this all the time, "If Microsoft always got things right, I would be out of a job."
Because by ald_a · 2016-11-28 23:36 · Score: 2

Microsoft loves Linux