Skip to main content
banner image
venafi logo

The Cloud Is Not Immune to Attacks on SSL Certificates

The Cloud Is Not Immune to Attacks on SSL Certificates

icrosoft patched a configuration hole that allowed hackers to upload software packages to its Azure update infrastructure.>
December 1, 2016 | Scott Carter

If anything, keys and certificates may be more important to cloud security than they are to on-premises security. With a shared infrastructure, protecting access to digital assets is critical. This was illustrated by a recent bug in Azure that was discovered by software engineer, Ian Duffy. He unveiled a massive vulnerability in Microsoft update that left virtual machines on Azure running Red Hat Enterprise Linux open to attack.

SC Magazine UK reports that “Azure used an unusual installation script in its pre-configured RPM Package Manager that comprises build host information enabling hackers to find all Red Hat Update Appliances which expose REST APIs over HTTPS.” This allowed users such as Duffy to access archives containing configuration files and SSL certificates. Hackers could misuse this information to attain full administrative access to VMs.

In a blog post Duffy outlines the vulnerability, "It was possible to copy the SSL certificates from one instance to another and successfully authenticate. Additionally, if you duplicated a Red Hat Enterprise Linux virtual hard disk and created a new instance from it, all billing association seemed to be lost but repository access was still available."

Venafi Chief Security Strategist Kevin Bocek told SC Magazine UK “that as the update services use SSL/TLS encrypted tunnels, communicating and exploiting the service would almost certainly be a blind spot for Microsoft and Azure customers.” Security blind spots are dangerous and can leave you unwittingly open to attack. You need full visibility into where your SSL certificates live and how they are being used.

“Network security systems need to be fed SSL/TLS keys to have full visibility – something that is extremely difficult since most data centers have thousands of SSL/TLS keys and certificates, most completely unknown or out of reach of security administrators. Only automated SSL/TLS key and certificate discovery and orchestrated distribution to security systems can make can make full visibility possible,” continued Bocek.

Can you see all your SSL certificates that are being used in the cloud? 

Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

Déjà Vu at LinkedIn: Second TLS Certificate Expiry in 2 Years

Déjà Vu at LinkedIn: Second TLS Certificate Expiry in 2 Years

Prepare this presentation and send it to me, once approved you can teach entire team.

Overheard at Machine Identity Protection Global Summit 2019

machine identity protection

Leaders Underscore the Critical Nature of Machine Identity Protection at Inaugural Global Summit

About the author

Scott Carter
Scott Carter

Scott Carter writes for Venafi's blog and is an expert in machine identity protection.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud

Venafi Cloud manages and protects certificates

* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
* Please fill in this field
* Please fill in this field
* Please fill in this field

End User License Agreement needs to be viewed and accepted

Already have an account? Login Here

get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more