Beware the ‘Secret Agent’ cloud middleware

RSA CONFERENCE 2022 – If cloud services weren’t complicated enough for the typical business today to properly configure and secure, there’s also a lesser-known layer of middleware that cloud providers run that can harbor hidden security flaws.

Researchers from Wiz.io last week at RSA Conference in San Francisco unveiled an open source, cloud middleware database on GitHub that details the specific middleware agents that Amazon Web Services (AWS), Google, and Microsoft install on their cloud customers’ virtual machines. The goal is to shine a light on this traditionally hidden proprietary software layer and its potential software flaws that can leave a cloud customer unknowingly at risk of attack.

Cloud providers often silently install these “secret agent” middleware programs on their customers’ virtual machines, and with the highest privileges, as a “bridge” between their cloud services and their customers’ VMs. The Cloud Middleware Dataset database project aims to provide cloud customers insight into this layer of software they rarely know exists on their virtual machines in a cloud service — and the potential security risks associated with it.

“These agents are adding an additional attack surface and cloud customers don’t know about those agents …; most are installed silently. If they come pre-installed, they have no idea” either, Shir Tamari, head of research at Wiz.io, told Dark Reading in an interview at the RSA Conference last week.

The most high-profile example of cloud middleware gone wrong was the discovery of major flaws in Microsoft Azure’s Open Management Infrastructure (OMI) agent software last fall. Tamari and his fellow researchers unearthed major remote execution and privilege escalation vulns in Azure, with a collection of flaws they dubbed OMIGOD. OMI runs on many Linux VMs in Azure to provide configuration management functions for cloud customers.

Of the four OMIGOD vulnerabilities (CVE-2021-38647, CVE-2021-38648, CVE-2021-38645, and CVE-2021-38649), the most painful one was CVE-2021-38647, which could allow an attacker to gain root on a VM with a single packet, merely by stripping the authentication header. The problem: A default configuration for OMI was exposed the HTTPS management port on the public Internet. Microsoft provided auto-updates for Azure to address the flaws, after initially releasing patches that most Azure customers had no idea applied to them since they weren’t aware of OMI.

“There was confusion over how to handle this middleware” patching, Tamari said.

To read the complete article, visit Dark Reading.