Tenable, an exposure management company, has identified a Remote Code Execution (RCE) vulnerability in Oracle Cloud Infrastructure (OCI) Code Editor, a service designed for developers working within Oracle’s Cloud Shell ecosystem. This vulnerability could have allowed attackers to run malicious code on a server without needing direct access.
The RCE vulnerability enables threat actors to silently hijack a victim’s Cloud Shell environment, with just one click by the victim and potentially move across other OCI services. Once compromised, an attacker could execute arbitrary commands, access sensitive credentials, and pivot to other OCI services like Resource Manager, Functions, and Data Science. This could lead to broader system compromise, data exfiltration, or deployment of persistent backdoors, especially if the compromised environment had elevated privileges or access to other critical services.
“Cloud services, especially with their deep integrations and shared environments, function similarly; if a hidden integration or shared environment introduces a weakness, those risks can cascade into dependent services, significantly increasing the potential for security breaches.”
– Liv Matan, Senior Security Researcher at Tenable
According to Tenable Research, the main problem was that the Code Editor’s file upload feature didn’t properly check if requests were coming from where they should. This made it possible for a bad website to trick a user’s browser into uploading harmful files without the user knowing, as long as they were logged into their Oracle Cloud account. When the victim next opens their Cloud Shell, the malicious code in the uploaded file would automatically run.
This RCE vulnerability seen in OCI exemplifies what Tenable has coined the Jenga® Concept, the tendency for cloud providers to build services on top of one another, thus security risks and weaknesses in one layer cascade into other services.
“Similar to the game of Jenga, extracting one block can compromise the integrity of the whole structure,” said Liv Matan, Senior Security Researcher at Tenable. “Cloud services, especially with their deep integrations and shared environments, function similarly; if a hidden integration or shared environment introduces a weakness, those risks can cascade into dependent services, significantly increasing the potential for security breaches. Our OCI research underscores the critical importance of scrutinising these interconnected systems.”
Oracle has already fixed this vulnerability, and no additional action is required from users.
