An Oracle Cloud Infrastructure (OCI) vulnerability that enables attackers to alter users’ storage volumes without their consent has been disclosed by cloud security firm Wiz.
The vulnerability, also known as #AttachMe, was mentioned in Oracle’s July 2022 Critical Patch Update and could have made sensitive information available to attackers who knew the victim’s Oracle Cloud Identifier (OCID). In essence, this flaw rendered cloud isolation in OCI useless, enabling anyone to attach disks to virtual machines in other accounts without authorization. By obtaining the victim’s OCID and launching a compute instance on a tenant that is part of the same availability domain as the target volume, an attacker could take advantage of the security flaw.
Following the attachment of a volume, the attacker could then choose the victim’s volume to gain access to it and read/write to it.