Microsoft, at least they found and fixed the problem themselves this time.



  • http://www.theregister.co.uk/2016/11/28/microsoft_update_servers_left_all_azure_rhel_instances_hackable/

    Software engineer Ian Duffy found the flaws while building a secure RHEL image for Microsoft Azure. During that process he noticed an installation script Azure uses in its preconfigured RPM Package Manager contains build host information that allows attackers to find all four Red Hat Update Appliances which expose REST APIs over HTTPS.

    From there Duffy found a package labelled PrepareRHUI (Red Hat Update Infrastructure) that runs on all Azure RHEL boxes, and contains the rhui-monitor.cloud build host.

    Duffy accessed that host and found it had broken username and password authentication. This allowed him to access a backend log collector application which returned logs and configuration files along with a SSL certificate that granted full administrative access to the four Red Hat Update Appliances.

    Duffy says all Azure RHEL images are configured without GPG validation checks meaning all would accept malicious package updates on their next run of yum updates.

    I mean, even I make sure that GPG is enabled. Guess this could be included in the "Burned by eschewing best practices" thread as well.

    I'm also wondering if that rhui-monitor.cloud host is a Microsoft or RedHat run server?



  • @travisdh1 said in Microsoft, at least they found and fixed the problem themselves this time.:

    I mean, even I make sure that GPG is enabled. Guess this could be included in the "Burned by eschewing best practices" thread as well.

    Are they DSS compliant? That's one of the big checks according to the STIGS. We even have to make local repos GPG check and encrypted.