Cloud integrations promise easier access to tools, shared sessions, and unified workflows. But as a newly discovered vulnerability in Oracle Cloud Infrastructure (OCI) Code Editor shows, they can also quietly expose critical security gaps.
Researchers at Tenable identified the now-remediated critical remote code execution (RCE) flaw while analyzing how Code Editor interacts with its Cloud Shell command-line environment.
Tightly Integrated
Code Editor is an integrated development environment in OCI that lets developers write, edit, and manage code directly in their cloud environment without leaving the browser. It eliminates the need for them to download, install, and configure local development tools. Code Editor is integrated with other OCI developer services such as Resource Manager and Functions and Data Science. It also uses Cloud Shell to run commands and scripts.
Oracle Cloud Shell itself is a browser-based command-line interface that provides pre-authenticated access to Oracle Cloud resources. Code Editor and Cloud Shell share the same underlying file system and user session data within OCI, meaning files edited or created in either environment are immediately accessible in the other.
Tenable decided to look for potential vulnerabilities and entry points for attacks in these tightly integrated OCI services. “Code Editor is often treated by researchers and users as a sandboxed, isolated space, but its deep interface with Resource Manager, Functions and Data Science suggests otherwise,” Tenable security researcher Liv Matan wrote in a blog this week. “Our intuition was simple: if a developer can upload files easily, can an attacker?” The answer, it quickly turned out, was a yes.
Tenable researchers first probed Cloud Shell and its file upload mechanisms for potential security issues and found nothing to suggest trouble. So they switched their attention to Code Editor and found an issue with a file upload endpoint that it shared with Cloud Shell.
Specifically, the vulnerability stemmed from a missing Cross-Site Request Forgery (CSRF) check on a router that handles file uploads and downloads within Code Editor.
CSRF checks are essential to preventing malicious websites from tricking a user’s browser into performing actions on other Web apps and sites where they might be logged in. Tenable found the router’s handling of authentication cookies to be insecure and offering no protection at all against CSRF requests, meaning any website could trigger the endpoint and take action on behalf of the user so long as they are logged into OCI.
Open Door
“In essence: an attacker could create a webpage that, when visited by an authenticated Oracle Cloud Infrastructure user, would upload a malicious file to their Cloud Editor without their knowledge,” Matan wrote. “Since Code Editor uses Cloud Shell’s file system behind the scenes, the file uploaded will be uploaded to the victim’s Cloud Shell.”
Tenable found that once an attacker successfully hijacks a victim’s Cloud Shell, they could then quickly move to other tightly integrated OCI services such as Resource Manager, Functions and Data Science. “In essence, what begins as a simple CSRF exploit targeting file uploads on Cloud Shell quickly escalates into a multi-surface threat, compromising not just the shell, but the full suite of developer tools around it,” Matan noted. The vulnerability gave attackers a way to use a victim’s permissions on OCI to access sensitive data, deploy unauthorized resources, and move laterally to integrated OCI services. All that was required was for a user to be authenticated to their OCI account when they visited the malicious website.
Oracle has since patched the vulnerability by enforcing CSRF protections, which included requiring a custom token header. Requests without the custom header are summarily rejected, meaning the vulnerability is no longer exploitable, Matan said.
The vulnerability highlights the often hidden risks in tightly integrated, Jenga-like cloud environments where cloud providers tend to stack services on top of each other, often WITH unseen building blocks. In such environments, if one service is compromised, services built on top of it MAY inherit those same risks and vulnerabilities. “This realization is a critical lesson in modern cloud security research: integrations aren’t just conveniences; they’re potential points for vulnerabilities,” Matan said.
