{"id":36,"date":"2022-02-07T02:02:33","date_gmt":"2022-02-07T02:02:33","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=36"},"modified":"2022-02-07T02:02:33","modified_gmt":"2022-02-07T02:02:33","slug":"insecure-bootstrap-process-in-oracle-cloud-cli","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=36","title":{"rendered":"Insecure Bootstrap Process in Oracle Cloud CLI"},"content":{"rendered":"<h2 class=\"wp-block-heading\">Summary<\/h2>\n<p>The bootstrap process for Oracle Cloud CLI using the \u201ccurl | bash\u201d pattern was insecure since there was no way to verify authenticity of the downloaded binaries. The vendor is now publishing checksums that can be used to verify the downloaded binaries.<\/p>\n<h2 class=\"wp-block-heading\">Vulnerability Details<\/h2>\n<p><a href=\"https:\/\/wwws.nightwatchcybersecurity.com\/2021\/07\/12\/speaking-appsec_village-defcon-29\/\">As part of our ongoing research into supply chain attacks<\/a>, we have been analyzing bash installer scripts using the \u201ccurl | basj\u201d pattern. <a href=\"https:\/\/github.com\/oracle\/oci-cli#linux\">Oracle provides such script<\/a> used to install the CLI command for interaction with Oracle Cloud. However, there was no way to check whether the files that the script downloads are legitimate, which could potentially open the end-user to supply chain attacks. The installer is run as follows:<\/p>\n<p>bash -c &#8220;$(curl -L https:\/\/raw.githubusercontent.com\/oracle\/oci-cli\/master\/scripts\/install\/install.sh)&#8221;<\/p>\n<h2 class=\"wp-block-heading\">Vendor Response<\/h2>\n<p>The vendor <a href=\"https:\/\/github.com\/oracle\/oci-cli\/releases\">started publishing SHA-256<\/a> checksums for the CLI.<\/p>\n<h2 class=\"wp-block-heading\">References<\/h2>\n<p>Vendor reference # S1456147<\/p>\n<p>Vendor security advisory: <a href=\"https:\/\/www.oracle.com\/security-alerts\/cpujan2022.html\">Jan 2022<\/a><\/p>\n<h2 class=\"wp-block-heading\">Timeline<\/h2>\n<p>2021-04-21: Initial report to the vendor<br \/>2021-04-21: Vendor acknowledged the report<br \/>2021-05-04: Vendor communicated that a fix is pending<br \/>2021-12-28: Vendor reported that a fix has been implemented and credit will be provided in an advisory<br \/>2022-01-18: Vendor advisory published<br \/>2022-02-06: Public disclosure<\/p>","protected":false},"excerpt":{"rendered":"<p>Summary The bootstrap process for Oracle Cloud CLI using the \u201ccurl | bash\u201d pattern was insecure since there was no way to verify authenticity of the downloaded binaries. The vendor is now publishing checksums that can be used to verify the downloaded binaries. Vulnerability Details As part of our ongoing research into supply chain attacks, [&hellip;]<\/p>\n","protected":false},"author":0,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-36","post","type-post","status-publish","format-standard","hentry","category-blog"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/36"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=36"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/36\/revisions"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=36"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=36"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=36"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}