Tenable reveals RCE flaw in Oracle Cloud editor, highlights risks

Tenable has announced the disclosure of a Remote Code Execution (RCE) vulnerability in Oracle Cloud Infrastructure's (OCI) Code Editor, raising questions about risks inherent in interconnected cloud services.

Researchers at Tenable identified a flaw in the OCI Code Editor, a tool used by developers working within Oracle's Cloud Shell ecosystem. The vulnerability potentially allowed attackers to remotely execute code in a victim's environment without direct access, simply by tricking a user into clicking a malicious link while logged into their Oracle Cloud account.

RCE vulnerability explained

The flaw, now resolved by Oracle, was caused by insufficient origin checks on the Code Editor's file upload feature. This allowed malicious websites to manipulate a user's browser to upload harmful files to their Oracle Cloud Shell account without their knowledge. When the targeted user subsequently opened their Cloud Shell, the uploaded file could automatically execute malicious commands.

Tenable emphasised the possible consequences of this vulnerability, stating that an attacker could "silently hijack a victim's Cloud Shell environment, with just one click by the victim and potentially move across other OCI services." The ability to execute arbitrary commands from this position could have exposed sensitive credentials and enabled horizontal movement to other services such as Resource Manager, Functions, or Data Science, increasing the scope for system compromise, data theft, or persistent backdoors.

The 'Jenga Concept'

The RCE flaw illustrates broader concerns highlighted by Tenable around the architecture of cloud service providers. Tenable refers to this as the Jenga Concept, a notion capturing the compounding risks when providers build new services on the foundations of existing ones.

"Similar to the game of Jenga, extracting one block can compromise the integrity of the whole structure," said Liv Matan, Senior Security Researcher at Tenable.

Matan continued, "Cloud services, especially with their deep integrations and shared environments, function similarly; if a hidden integration or shared environment introduces a weakness, those risks can cascade into dependent services, significantly increasing the potential for security breaches. Our OCI research underscores the critical importance of scrutinizing these interconnected systems."

Potential impact and implications

If exploited, Tenable reports the vulnerability could have allowed attackers to take the following actions:

• Silently take over a victim's Cloud Shell environment
• Run unauthorised code on the victim's Oracle Cloud services
• Access sensitive data and secrets within the victim's OCI environment
• Pivot into other integrated services such as Resource Manager or Data Science to deploy new resources or exfiltrate data

Oracle has issued a patch to address the issue and no further action is required from users currently, according to Tenable.

Security recommendations

Despite the issue being fixed, Tenable is recommending that organisations take steps to reduce risks from similar vulnerabilities in the future. These include implementing a least privilege model to restrict unnecessary permissions and limit the scope of potential compromises, mapping dependencies and integrations among cloud services to reveal possible attack surfaces, reviewing logs for indicators of compromise, and consistently monitoring for unusual access patterns or unauthorised file modifications.

Matan commented on the wider lesson for cloud security professionals, stating, "This RCE vulnerability found in OCI underscores that cloud security isn't just about reacting to threats, but actively preventing them. As cloud environments become more intricate, security teams must stay ahead, identifying and fixing weaknesses before they can be exploited."