Full Report
Before it was patched, #AttachMe could have allowed attackers to access and modify any other users' OCI storage volumes without authorization, thereby violating cloud isolation. Upon disclosure, the vulnerability was fixed within hours by Oracle. No customer action was required.
Analysis Summary
# Vulnerability: Cross-Tenant OCI Volume Attachment Leak (AttachMe)
## CVE Details
- CVE ID: Not explicitly provided in the text, but associated with Oracle's July 2022 Critical Patch Update Advisory.
- CVSS Score: Not explicitly provided. (The description implies **Critical** severity).
- CWE: Insufficient authorization/permission checks (Potential CWE-285).
## Affected Systems
- Products: Oracle Cloud Infrastructure (OCI)
- Versions: All OCI customers prior to the patch deployment in June 2022.
- Configurations: Any OCI environment utilizing OCI Block Volumes or Boot Volumes.
## Vulnerability Description
The vulnerability, dubbed "AttachMe," allowed an attacker in one OCI tenancy to attach a block or boot volume belonging to *another* OCI tenant to one of their own compute instances, requiring only knowledge of the target volume's Oracle Cloud Identifier (OCID). This bypasses standard cross-tenant isolation controls. By attaching another tenant's volume, the attacker gained full read/write privileges to that volume, enabling data exfiltration, searching for secrets, or modifying system binaries (on boot volumes) to achieve subsequent code execution upon mounting.
## Exploitation
- Status: Theoretical exploitation path established, patches deployed rapidly. (Implied as **PoC available** based on research process).
- Complexity: **Low**. Attackers only needed the volume OCID, which is often publicly discoverable via internet searches or low-privileged internal access.
- Attack Vector: **Network** (Utilizing cloud control plane APIs).
## Impact
- Confidentiality: **High**. Sensitive data exfiltration possible.
- Integrity: **High**. Data modification, including executable files, possible.
- Availability: **Medium/High**. Modification of boot volumes could render instances unusable or lead to environment takeover.
## Remediation
### Patches
- Oracle patched the vulnerability within 24 hours of being notified (June 10, 2022). No customer action was required as the fix was applied server-side by Oracle. The fix is associated with the **July 2022 Critical Patch Update Advisory**.
### Workarounds
- No specific customer workarounds were mentioned as Oracle addressed the issue immediately and centrally.
## Detection
- **Indicators of Compromise:** Look for unusual volume attachment events involving resources across different tenancies, especially if the attaching instance ID does not belong to the volume owner.
- **Detection Methods and Tools:** Rigorous auditing of OCI Audit Logs for `volume-attachment` API calls where the `instance-id` tenant context does not match the `volume-id` tenant context.
## References
- Oracle July 2022 Critical Patch Update Advisory: hxxps://www.oracle.com/security-alerts/cpujul2022.html