Tenable, the exposure management company, has identified a Remote Code Execution (RCE) vulnerability in Oracle Cloud Infrastructure (OCI) Code Editor, a service designed for developers working within Oracle’s Cloud Shell ecosystem. This vulnerability could have allowed attackers to run malicious code on a server without needing direct access.

The RCE vulnerability enables threat actors to silently hijack a victim’s Cloud Shell environment, with just one click by the victim and potentially move across other OCI services. Once compromised, an attacker could execute arbitrary commands, access sensitive credentials, and pivot to other OCI services like Resource Manager, Functions, and Data Science. This could lead to broader system compromise, data exfiltration, or deployment of persistent backdoors, especially if the compromised environment had elevated privileges or access to other critical services.

According to Tenable Research, the main problem was that the Code Editor’s file upload feature didn’t properly check if requests were coming from where they should. This made it possible for a bad website to trick a user’s browser into uploading harmful files without the user knowing, as long as they were logged into their Oracle Cloud account. When the victim next opens their Cloud Shell, the malicious code in the uploaded file would automatically run.

This RCE vulnerability seen in OCI exemplifies what Tenable has coined the Jenga® Concept, the tendency for cloud providers to build services on top of one another, thus security risks and weaknesses in one layer cascade into other services.

“Similar to the game of Jenga®, extracting one block can compromise the integrity of the whole structure,” said Liv Matan, Senior Security Researcher at Tenable.

“Cloud services, especially with their deep integrations and shared environments, function similarly; if a hidden integration or shared environment introduces a weakness, those risks can cascade into dependent services, significantly increasing the potential for security breaches. Our OCI research underscores the critical importance of scrutinizing these interconnected systems.”

Potential Impact of OCI Code Editor RCE Exploitation

If exploited, the RCE vulnerability found in OCI Code Editor could have allowed attackers to:

• Silently take control of a victim’s Cloud Shell environment.
• Run unauthorised code on the victim’s Oracle Cloud services.
• Access sensitive data and secrets within the victim’s OCI environment.
• Move into other integrated OCI services like Resource Manager or Data Science to deploy unauthorised resources or steal more data

Oracle has already fixed this vulnerability, and no additional action is required from users.

Recommendations for Security Teams

While no user action is required to mitigate this specific OCI RCE, Tenable recommends organisations to:

• Follow the least privilege model to prevent unnecessary permission inheritance and limit the blast radius of any compromise.
• Map hidden dependencies and integrations between cloud services to identify potential new attack surfaces.
• Review logs to identify any possible indicators of compromise that may require remediation.
• Regularly review logs to detect suspicious access patterns and unauthorised file modifications.

“This RCE vulnerability found in OCI underscores that cloud security isn’t just about reacting to threats, but actively preventing them. As cloud environments become more intricate, security teams must stay ahead, identifying and fixing weaknesses before they can be exploited,” Matan emphasised.

Read the full research findings here.

JENGA® is a registered trademark owned by Pokonobe Associates.

For more cybersecurity news, click here