ID | Vulnerabilities | Description | Layer |
---|---|---|---|
V01 | Insecure interfaces and APIs | Cloud providers offer services that can be accessed through APIs (SOAP, REST, or HTTP with XML/JSON) [42]. The security of the cloud depends upon the security of these interfaces [16]. Some problems are: | SPI |
a) Weak credential | |||
b) Insufficient authorization checks | |||
c) Insufficient input-data validation | |||
Also, cloud APIs are still immature which means that are frequently updated. A fixed bug can introduce another security hole in the application [54]. | |||
V02 | Unlimited allocation of resources | Inaccurate modeling of resource usage can lead to overbooking or over-provisioning [17]. | SPI |
V03 | Data-related vulnerabilities | a) Data can be colocated with the data of unknown owners (competitors, or intruders) with a weak separation [36] | SPI |
b) Data may be located in different jurisdictions which have different laws [19, 54, 55] | |||
c) Incomplete data deletion – data cannot be completely removed [19, 20, 25, 56] | |||
d) Data backup done by untrusted third-party providers [56, 57] | |||
e) Information about the location of the data usually is unavailable or not disclosed to users [25] | |||
f) Data is often stored, processed, and transferred in clear plain text | |||
V04 | Vulnerabilities in Virtual Machines | a) Possible covert channels in the colocation of VMs [48, 58, 59] | I |
b) Unrestricted allocation and deallocation of resources with VMs [57] | |||
c) Uncontrolled Migration - VMs can be migrated from one server to another server due to fault tolerance, load balance, or hardware maintenance [42, 44] | |||
d) Uncontrolled snapshots – VMs can be copied in order to provide flexibility [12], which may lead to data leakage | |||
e) Uncontrolled rollback could lead to reset vulnerabilities - VMs can be backed up to a previous state for restoration [44], but patches applied after the previous state disappear | |||
f) VMs have IP addresses that are visible to anyone within the cloud - attackers can map where the target VM is located within the cloud (Cloud cartography [58]) | |||
V05 | Vulnerabilities in Virtual Machine Images | a) Uncontrolled placement of VM images in public repositories [24] | I |
b) VM images are not able to be patched since they are dormant artifacts [44] | |||
V06 | Vulnerabilities in Hypervisors | a) Complex hypervisor code [60] | I |
b) Flexible configuration of VMs or hypervisors to meet organization needs can be exploited | |||
V07 | Vulnerabilities in Virtual Networks | Sharing of virtual bridges by several virtual machines [51] | I |