Skip to main content
banner image
venafi logo

The Cloud Is Not Immune to Attacks on SSL Certificates

The Cloud Is Not Immune to Attacks on SSL Certificates

icrosoft patched a configuration hole that allowed hackers to upload software packages to its Azure update infrastructure.>
December 1, 2016 | Scott Carter

If anything, keys and certificates may be more important to cloud security than they are to on-premises security. With a shared infrastructure, protecting access to digital assets is critical. This was illustrated by a recent bug in Azure that was discovered by software engineer, Ian Duffy. He unveiled a massive vulnerability in Microsoft update that left virtual machines on Azure running Red Hat Enterprise Linux open to attack.

SC Magazine UK reports that “Azure used an unusual installation script in its pre-configured RPM Package Manager that comprises build host information enabling hackers to find all Red Hat Update Appliances which expose REST APIs over HTTPS.” This allowed users such as Duffy to access archives containing configuration files and SSL certificates. Hackers could misuse this information to attain full administrative access to VMs.

In a blog post Duffy outlines the vulnerability, "It was possible to copy the SSL certificates from one instance to another and successfully authenticate. Additionally, if you duplicated a Red Hat Enterprise Linux virtual hard disk and created a new instance from it, all billing association seemed to be lost but repository access was still available."

Venafi Chief Security Strategist Kevin Bocek told SC Magazine UK “that as the update services use SSL/TLS encrypted tunnels, communicating and exploiting the service would almost certainly be a blind spot for Microsoft and Azure customers.” Security blind spots are dangerous and can leave you unwittingly open to attack. You need full visibility into where your SSL certificates live and how they are being used.

“Network security systems need to be fed SSL/TLS keys to have full visibility – something that is extremely difficult since most data centers have thousands of SSL/TLS keys and certificates, most completely unknown or out of reach of security administrators. Only automated SSL/TLS key and certificate discovery and orchestrated distribution to security systems can make can make full visibility possible,” continued Bocek.

Can you see all your SSL certificates that are being used in the cloud? 

Like this blog? We think you will love this.
Featured Blog

Increase Security for Private Workloads Using Isolated Issuers in Hardened Environments

The challenges for security pol

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

Subscribe Now

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Scott Carter
Scott Carter

Scott is Senior Manager for Content Marketing at Venafi. With over 20 years in cybersecurity marketing, his expertise leads him to help large organizations understand the risk to machine identities and why they should protect them

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more