Zero-day flaw behind Rackspace breach still a mystery

A zero-day vulnerability that attackers exploited to breach Rackspace last month remains a mystery as no CVE has been assigned and the utility vendor has not been revealed.

On Sept. 24, Rackspace suffered a data breach after attackers exploited a remote code execution vulnerability in a ScienceLogic application the cloud provider uses to monitor its environment. The incident, which was first reported by The Register, affected limited internal monitor data.

Subsequently, ScienceLogic confirmed that vulnerability existed in a separate third-party utility and released a patch. But more than two weeks later, details on the zero-day vulnerability remain scarce. While ScienceLogic released a fix, the flaw has not received a CVE, and neither Rackspace nor ScienceLogic have disclosed the third-party utility vendor.

TechTarget Editorial contacted ScienceLogic, and the company sent the following statement.

We identified a zero-day remote code execution vulnerability within a non-ScienceLogic third-party utility that is delivered with the SL1 package. Upon identification, we rapidly developed a patch to remediate the incident and have made it available to all customers globally. We are focused on assisting our customers in implementing the fix to minimize their risk. We will continue to update customers as appropriate.

Arctic Wolf published a blog post on the incident last week. The cybersecurity company said no attribution has been made and that compromised monitoring data includes customer account names and numbers, customer usernames, device IP addresses, and more. Rackspace notified affected customers, but no customer action was required.

However, Arctic Wolf warned the vulnerability could pose a risk to other organizations if it garners more attention from threat actors. "A remote code execution vulnerability affecting a third-party utility used by various other products presents an appealing target for threat actors, as it offers a broad attack surface for exploitation, similar to the infamous Log4j, a third-party library, which was exploited in 2021 to allow attackers to execute arbitrary code across millions of systems," Arctic Wolf wrote in the blog post.

Steven Campbell, lead threat intelligence researcher at Arctic Wolf, told TechTarget Editorial that it's unclear why a CVE has not been assigned and why the details of the utility and the vulnerability itself have not been revealed.

For now, he can only speculate as to why the zero-day flaw did not receive a CVE.

"It could be due to a whole host of reasons: dispute over severity of the presence of an actual vulnerability; doesn't meet reporting threshold; not reproducible; no CNA [CVE Numbering Authority] representation/delay; CVE may already be assigned, but we don't know because we don't know what product is impacted," Campbell said in an email.

Thomas Richards, principal consultant at Black Duck Software, told TechTarget Editorial that the Rackspace breach underscores the importance of supply chain security because the unknown third-party utility is likely used by other software vendors. He added that transparency with the supply chain vulnerability should be made available once the source organization has issued the appropriate patch.

"The vulnerability lies three layers deep. Rackspace uses a product, which incorporates other software and libraries within that product, which resulted in the vulnerability. The difficult part here is that ScienceLogic disclosed the vulnerability to the supplier without submitting for a CVE assignment," Richards said. "Not all vulnerabilities get assigned a CVE. But [not] disclosing this while there is a patch for the problem could put additional organizations at risk who utilize the affected software component that ScienceLogic used."

Chris Wysopal, chief security evangelist at Veracode, said an important part of the coordinated vulnerability disclosure process is not to tip off attackers, he said.

Wyospal said attackers could reverse engineer the patch ScienceLogic released to discover the zero-day vulnerability. However, he also said that divulging details about the flaw before the third-party utility is fixed will benefit threat actors.

"In the Rackspace case, Rackspace identified the issue and notified the vendor. Until the vendor fixes the issue and notifies the CVE team, we won't see a CVE publicly issued. Rackspace seems to be following coordinated disclosure and is making sure attackers don't have the upper hand before a fix is available," Wysopal said.

Rackspace did not respond to requests for comment at press time.

Rackspace suffered a ransomware attack in 2022 that compromised the company's Hosted Exchange service. The Play ransomware gang claimed responsibility for the attack, which affected several Hosted Exchange customers.

Arielle Waldman is a news writer for TechTarget Editorial covering enterprise security.