Vulnerabilities in Cloud Services
Thursday, April 24, 2014 @ 04:04 PM gHale
The servers provided by Amazon’s Cloud IaaS (Infrastructure as a Service) have vulnerabilities, researchers said.
That revelation came about when a customer complained his server ended up infected with spying and information-stealing malware despite the use of security provider Bkav’s anti-malware solution.
While investigating how that might have happened, Bkav discovered Windows Server 2003 on Amazon’s cloud server last received an update in October 2009. In addition, the Auto Update was not on.
“Five years are more than enough for hundreds or even thousands of flaws to be exposed and exploited, and in light of high level of Internet connection nowadays, the possibility of being penetrated is indisputable,” the researchers said in a blog post. “We executed a test with dangerous proof-of-concept code MS12-020, which is widely publicized on the Internet, and easily brought the customer’s server down.”
They then proceeded to rent several Amazon servers in America, Japan and England and test them, and they discovered the same problem. The only difference was the date of the last update was early 2012.
These results made them consider the notion that other cloud IaaS service providers might offer similarly vulnerable servers, and they decided to investigate.
“In the case of HP Public Cloud, the patch is 8 months out-of-date (July 2013). And GoGrid, another big provider, has similar problem: Auto Update is not activated and the time of latest updates is April 2012,” they said. “Microsoft is the sole exception as this provider turns on Auto Update and has the latest update of the month. It seems that the giant provider is well-aware of the vulnerabilities in their own operating system.”