Microsoft has patched a vulnerability stemming from its configuration of Red Hat Enterprise Linux (RHEL) in the Azure public cloud that a customer discovered.
+MORE AT NETWORK WORLD: How to compare costs between AWS, Azure and Google clouds +
Microsoft Azure uses a process in which all instances of the RHEL operating system check back to a centralized system to ensure it is up to date. The customer, Ian Duffy in Ireland, found that he was able to access that master copy of RHEL, which could have allowed him or anyone else to implant a security vulnerability into the master copy of the program that would have propagated throughout any Azure customer using the OS.
Microsoft has patched the vulnerability, which was specific to its implementation of RHEL, so RHEL and Azure customers do not need to do anything to ensure they’re systems are fixed. There are no reports of nefarious activity that resulted from this incident. For complete details on what happened, check out Network World sister-site security reporter Fahmida Rashid at InfoWorld who has a more in-depth break down.
Security vendors jumped on the news, taking the opportunity to remind customers – and providers - of the need to control access to administrative controls when hosting software in the cloud. The incident shows “how things can go very wrong when private appliances meant for internal use become accessible to the public,” says Roy Feintuch, CTO and Co-founder of Dome9, a cloud security company. “Security needs to be designed under the assumption that software is susceptible to bugs and misconfigurations, and that private services exposed to the public will get hacked eventually. With the proper tools that allow organizations to visualize, evaluate and enforce the exposure level of each service they deploy, such risks can be mitigated.”