“Dirty Disk” Vulnerability Threatens The Cloud

Research by Context Information Security, conducted last year and published yesterday, has uncovered data security flaws in the cloud infrastructure services of several providers, including Rackspace and VPS.NET.

The problem lies in data separation between virtual machines using the same storage drives. The vulnerability could give attackers unauthorised access to deleted customer data that is still invisibly present on the drives. The simplest solution is to “zero” format the hard drives after files have been deleted, making the information unrecoverable.

While Rackspace gave Context access to their engineers, executives and processes to fix the vulnerability, VPS.NET says it has  resolved the problem on its own own by rolling out a patch.

Context warns that OnApp Cloud solution, on which VPS.NET is based, is used by over 250 cloud providers worldwide, and there could be thousands of virtual machines at potential risk.

Wipe the disk after you’re done

Context also tested the cloud market leader Amazon, as well as another provider, Gigenet, and gave them both a clean bill of health over so-called “dirty disks”. However, with servers hosted on Rackspace and VPS.NET, Context managed to gain access to fragments of customer databases and elements of system information that could potentially give an attacker control over hosted servers.

“In the cloud, instead of facing an infrastructure based on separate physical boxes, an attacker can purchase a node from the same provider and attempt an attack on the target organisation from the same physical machine and using the same physical resources” said Michael Jordon, research and development manager at Context.

“This does not mean that the Cloud is unsafe and the business benefits remain compelling, but the simplicity of this issue raises important questions about the maturity of Cloud technology and the level of security and testing undertaken in some instances,” he added.

Since March last year, Rackspace has worked closely with Context to identify and fix the potential vulnerability, which was found among some users of its now-legacy platform for Linux Cloud Servers.

The company has long been “zeroing” the disk areas that were occupied by virtual machines, but this operation was not effective in all instances.

“For Rackspace the issue was in their use of Xen Classic in a configuration which was insecure.  Other hypervisors could also be configured in this fashion.  We tested four providers and two had the issue, so there is a good chance that other providers will have made the same mistake,” a spokesman for Context told TechWeekEurope.

The company later tested Rackspace’s current cloud platform, as well as its new Cloud computing solution based on OpenStack, and has confirmed that the security vulnerability has been resolved. Rackspace has claimed that to date, no customer data was seen or exploited in any way by any unauthorized party.

Expensive zeroes

VPS.NET told Context that it took 15 days to roll out a patch which fixed the issue. However, its service is based on OnApp – a complete Cloud solution, used across the globe by more than 250 providers, and available to buy off-the-shelf.

OnApp has claimed that “not many customers are affected” by the vulnerability. It told Context that “zeroing” out the entire disk by default would be “too costly from a hardware IO perspective“. Instead, the company introduced an optional function that will securely format the discs and remove remaining data. However, because of its opt-in nature, and the widespread use of OnApp, there could be thousands of virtual machines still at potential risk.

“OnApp seem to take the view that cost is more important than security,” said a spokesman for Context. OnApp was not available for comment at the time of writing.

“It is unclear how widespread this issue is among other Cloud providers” said Jordon. “By raising awareness of the problem, other service providers of Cloud Infrastructure services can ensure they do not put their customers’ data at risk in the same manner, and customers can undertake the appropriate due diligence before moving to the Cloud.”

Context advises the users of OnApp-based Cloud services to ensure they click on the secure wipe button if they are de-provisioning virtual servers.

It is not just storage drives in the cloud that can keep remains of the data after it has been deleted. Research presented by the ICO  at Infosec today suggests that one in 10 second-hand hard drives keep personal data.

How well do you know the cloud? Take our quiz!