Beware the Secret Agent Cloud Middleware

  /     /     /  
Publicated : 23/11/2024   Category : security

Beware the Secret Agent Cloud Middleware


New open source database details the software that cloud service providers typically silently install on enterprises virtual machines — often unbeknownst to customers.


RSA CONFERENCE 2022 – If cloud services werent complicated enough for the typical business today to properly configure and secure, theres also a lesser-known layer of middleware that cloud providers run that can harbor hidden security flaws.
Researchers from Wiz.io last week at RSA Conference in San Francisco unveiled an open source, cloud middleware database on GitHub that details the specific middleware agents that Amazon Web Services (AWS), Google, and Microsoft install on their cloud customers virtual machines. The goal is to shine a light on this traditionally hidden proprietary software layer and its potential software flaws that can leave a cloud customer unknowingly at risk of attack.
Cloud providers often silently install these secret agent middleware programs on their customers virtual machines, and with the highest privileges, as a bridge between their cloud services and their customers VMs. The
Cloud Middleware Dataset
database project aims to provide cloud customers insight into this layer of software they rarely know exists on their virtual machines in a cloud service — and the potential security risks associated with it.
These agents are adding an additional attack surface and cloud customers dont know about those agents ...; most are installed silently. If they come pre-installed, they have no idea either, Shir Tamari, head of research at Wiz.io, told Dark Reading in an interview at the RSA Conference last week.
The most high-profile example of cloud middleware gone wrong was the discovery of major flaws in Microsoft Azures Open Management Infrastructure (OMI) agent software last fall. Tamari and his fellow researchers unearthed major remote execution and privilege escalation vulns in Azure, with
a collection of flaws they dubbed OMIGOD
. OMI runs on many Linux VMs in Azure to provide configuration management functions for cloud customers.
Of the four OMIGOD vulnerabilities (
CVE-2021-38647
,
CVE-2021-38648
,
CVE-2021-38645
, and
CVE-2021-38649
), the most painful one was CVE-2021-38647, which could allow an attacker to gain root on a VM with a single packet, merely by stripping the authentication header. The problem: A default configuration for OMI was exposed the HTTPS management port on the public Internet. Microsoft provided auto-updates for Azure to address the flaws, after initially releasing patches that most Azure customers had no idea applied to them since they werent aware of OMI.
There was confusion over how to handle this middleware patching, Tamari said.
The Cloud Middleware Dataset so far includes several agents used in Azure in addition to OMI, such as Microsoft Azure Guest Agent (WALinuxAgent), which is preconfigured in all Azure Linux images and has root privileges. WALinuxAgents listing in the database notes that the agent previously contained an information disclosure vulnerability,
CVE-2019-0804
. If exploited, it could allow an attacker to access memory in the kernel from a user process.
Other Azure middleware detailed in the database are Operations Management Suite, dependency agent, pipelines agent, and RD Agent service, each of which is employed in various Azure services.
AWS, meanwhile, has four such middleware agents listed in the dataset, AWS Systems Manager Agent (SSM Agent), AWS PV Drivers, AWS ECS container agent, and AWS EC2 Hibernation Initialization Agent. A local privilege escalation flaw
CVE-2022-29527
was found this year in SSM Agent that an attacker could use to gain root access. That agent comes preconfigured in Windows, Linux, and macOS VM images.
Google Cloud runs Accounts Daemon, OSConfig agent, and a guest agent in its cloud services, all of which are Linux-based. OSConfig and guest also run on Windows. Accounts Daemon, which works in Googles OS Login service, previously was patched for a local privilege escalation flaw, 
CVE-2020-8933
, that would have given root access. OSConfig, which is built into GCP VM images, also had
a local privilege escalation vuln
in 2020 that Google later fixed.
So, how can organizations pinpoint these secret agents, as Wiz researchers refer to them?
In an interview with Dark Reading at RSAC, Wiz co-founder and CTO Ami Luttwak said organizations should ask questions of cloud providers to get a clear view of what their software environment looks like: Whose middleware is it [and] how do you know if its running on your environment and does the software contain vulnerabilities, and how are updates and patches handled?
This is a different attack surface. Its a gray area, he said. It needs transparency and a clear process for updates for agents, VMs.

Last News

▸ ArcSight prepares for future at user conference post HP acquisition. ◂
Discovered: 07/01/2025
Category: security
▸ Samsung Epic 4G: First To Use Media Hub ◂
Discovered: 07/01/2025
Category: security
▸ Many third-party software fails security tests ◂
Discovered: 07/01/2025
Category: security


Cyber Security Categories
Google Dorks Database
 		Exploits Vulnerability
 		Exploit Shellcodes

CVE List
 		Tools/Apps
 		News/Aarticles

Phishing Database
 		Deepfake Detection
 		Trends/Statistics & Live Infos



Tags:
Beware the Secret Agent Cloud Middleware