A software engineer setting up a secure Red Hat Enterprise Linux virtual machine in the cloud discovered a serious configuration flaw that could be exploited to upload arbitrary software packages to Microsoft Azure update infrastructure.
Ian Duffy found Microsoft had configured the Red Hat Update Appliance used for Azure in such a way that an attacker could easily get access to the content delivery servers and upload packages that client virtual machines would acquire when updating.
Duffy was able to bypass the username and password authentication on the content delivery server by running a log file collector application. Once completed, the log file collector provided a link to a downloadable compressed archive.
The archive contained a digital SSL certificate and private key that Duffy said granted full administrative access to Red Hat Update Appliances.
If the flaw was exploited, an attacker could have gained full superuser or root access to any RHEL virtual machine using the compromised software repositories, by simply releasing a malicious version of a common package that wouldn't be checked, and waiting for the client systems to update.
Duffy also discovered that Microsoft's Azure Linux Agent, a mandatory piece of software used for provisioning Linux and FreeBSD virtual machines, could potentially be used to download virtual hard disks from cloud storage accounts.
A poor implementation of the Agent software allows attackers to obtain API digital keys to the Azure storage account used by a virtual machine, for debug log file shipping purposes.
Creating a virtual machine on Azure with the Linux diagnostic extension feature enabled meant the API key that provided access to storage was written to an XML file. It could then be used for interaction with the storage account, using the Azure cross platform command line interface.
Duffy reported both issues to Microsoft's online services bug bounty program, and both have been rectified.