Attacks could have a wider blast radius: Because Code Editor operates on the same underlying file system as the Cloud Shell, essentially a Linux home directory in the cloud, attackers could tamper with files used by other integrated services. This turns the flaw in the seemingly contained developer tool into an exposure for lateral movement across the OCI landscape.”In practice, this could involve leveraging the victim’s active session and credentials to access other OCI resources by impersonating the attached cloud identity,” Matan pointed out. “The blast radius of such an attack depends on the permissions of the compromised identity.”The nature of the Code Editor integrations can allow an attacker more attack primitives, such as modifying functions, accessing Resource Manager stacks, or injecting code into Data Science notebooks, depending on the victim’s environment, Matan added.Because Cloud Shell is pre-authenticated with the user’s identity and shares session state, it’s considered privileged. Any code executed in this environment has the same level of access as the logged-in user, making it a tempting target for attackers.Matan noted that detection of this exploit would be challenging without specific auditing on file changes or unusual CLI behavior. However, enhanced logging around unexpected uploads could help identify anomalous activity early.While Oracle did not immediately respond to CSO’s request for comments, the disclosure added that Oracle’s fix came in the form of a CSRF token requirement. This was enforced via a custom HTTP header that browsers can’t spoof in cross-origin requests, the researchers said.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4023337/one-click-to-compromise-oracle-cloud-code-editor-flaw-exposed-users-to-rce.html
