Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Update Servers Left All Azure RHEL Instances Hackable (theregister.co.uk)

Posted by msmash on from the feed-and-speed dept.

An anonymous reader shares a report on The Register: Microsoft has patched flaws that attackers could exploit to compromise all Azure Red Hat Enterprise Linux (RHEL) instances. Software engineer Ian Duffy found the flaws while building a secure RHEL image for Microsoft Azure. During that process he noticed an installation script Azure uses in its preconfigured RPM Package Manager contains build host information that allows attackers to find all four Red Hat Update Appliances which expose REST APIs over HTTPS. From there Duffy found a package labeled PrepareRHUI (Red Hat Update Infrastructure) that runs on all Azure RHEL boxes, and contains the rhui-monitor.cloud build host. Duffy accessed that host and found it had broken username and password authentication. This allowed him to access a backend log collector application which returned logs and configuration files along with a SSL certificate that granted full administrative access to the four Red Hat Update Appliances. Duffy says all Azure RHEL images are configured without GPG validation checks meaning all would accept malicious package updates on their next run of yum updates.

6 of 35 comments (clear)

  1. You'd think MS would have better quality assurance by TheDarkener · · Score: 4, Funny

    Just kidding.

    --
    It is pitch black. You are likely to be eaten by a grue.
  2. Re:If you want an RHEL cloud server... by Anonymous Coward · · Score: 2, Informative

    They do it because Microsoft, with a laughably inferior cloud offering, resorts to FUD, bribery, and extortion to force companies to migrate to Azure.

    These companies usually endure it for a couple of years then migrate back.

  3. Everyone should learn from pilots... by WoodstockJeff · · Score: 2

    ... that clouds are places to hide big rocks.

  4. Re:Serious Issue / Not the End of the World by BlueStrat · · Score: 2

    I would not trust Microsoft to secure a Linux build.

    This^^^

    I can understand a business using Azure, but using MS-built RHEL images? Particularly when this is a relatively-new service/product MS offers? I'd think any competent admins at these companies would have been extremely wary given the MS track record on new builds of even their own code, never mind a linux system. I know I'd have kicked up a fuss and insisted on thorough testing and vetting of these builds before rolling them out to production servers. Maybe many did but were overruled by PHBs. In either case I'd fault these companies who didn't verify the builds more than MS. I mean, it's MS...you *expect* that crap! Or, at least one should.

    Strat

    --
    Progressivism (aka US 'Liberalism'): Ideas so good they need a police/surveillance-state to enforce.
  5. Re:Serious Issue / Not the End of the World by dave562 · · Score: 2

    I mean, it's MS...you *expect* that crap! Or, at least one should.

    Exactly. I say this all the time, "If Microsoft always got things right, I would be out of a job."

  6. Because by ald_a · · Score: 2

    Microsoft loves Linux