> <i>Given no gpgcheck is enabled, with full administrative access to the Red Hat Enterprise Linux Appliance REST API one could have uploaded packages that would be acquired by client virtual machines on their next yum update.</i><p>And given how hard it is to detect backdoor software, this is a HUGE security blunder. This could have literally installed a rootkit on every rhel instance on Azure.
Follow up post for anyone that is interested... You've got root, can you get more access to the users azure account? The answer is yes. <a href="http://ianduffy.ie/blog/2016/11/27/azure-bug-bounty-root-to-storage-account-administrator/" rel="nofollow">http://ianduffy.ie/blog/2016/11/27/azure-bug-bounty-root-to-...</a>
There was a thread yesterday where lots of people were complaining about HSMs (<a href="https://news.ycombinator.com/item?id=13031155" rel="nofollow">https://news.ycombinator.com/item?id=13031155</a>). I think this is an example where it would have helped to secure the private key in an HSM instead of the server itself.<p>Now the author states the keys have been rotated but now the next hacker know where to look.
So, it seems that the attack vector was that Microsoft was running RHUI Log Collector open to the public internet for some reason.<p>Considering that's from Redhat, and not Microsoft, I do wonder if this is a non sensible default setup issue and there may be many enterprises running this out in the open.
It sounds like they fixed the RHEL Update infrastructure, but they didn't fix this:<p>"Additionally, if you duplicated a Red Hat Enterprise Linux virtual hard disk and created a new instance from it all billing association seemed to be lost but repository access was still available"