Critical vulnerabilities in 6 AWS services disclosed at Black Hat USA
Critical vulnerabilities in six AWS services were disclosed, allowing account takeovers and data manipulation. Researchers highlighted a "Shadow Resources" attack exploiting predictable S3 bucket names. AWS resolved the issues after notification.
Read original article
Critical vulnerabilities in six Amazon Web Services (AWS) were disclosed at Black Hat USA, potentially allowing for account takeovers, remote code execution, and data manipulation. Researchers from Aqua Security presented their findings, highlighting a "Shadow Resources" attack vector that exploited the automatic creation of S3 buckets by services like CloudFormation, Glue, EMR, SageMaker, ServiceCatalog, and CodeStar. These buckets had predictable naming conventions, enabling attackers to create their own buckets with the same names, leading to unauthorized access to sensitive information and the potential for backdoor injections. The vulnerabilities were reported to AWS in February 2024 and were resolved by June 2024. The researchers emphasized the importance of treating AWS account IDs and unique hashes as secrets to prevent such attacks. They also recommended implementing security measures to avoid using buckets owned by other accounts and following least privilege principles when assigning user roles. Although AWS has addressed these vulnerabilities, the risk of similar issues in open-source integrations remains, necessitating vigilance in securing AWS resources.
- Six AWS services were found to have critical vulnerabilities.
- The vulnerabilities allowed for account takeovers and data manipulation.
- Attackers could exploit predictable S3 bucket names to gain unauthorized access.
- AWS resolved the issues after being notified by researchers.
- Users are advised to treat account identifiers as secrets to enhance security.
Related
Well, it's just an AWS Account ID
AWS Account IDs are crucial for cloud security, aiding in resource sharing and reconnaissance. They facilitate IAM entity enumeration, service discovery, and security testing, highlighting AWS footprint insights for potential attacks. An upcoming course on securing AWS environments is recommended.
IdentifyMobile incident exposed 200M records from companies
A security incident at IdentifyMobile exposed 200 million SMS messages from 200+ companies due to an unsecured AWS S3 server. Sensitive data like 2FA codes and transaction numbers were compromised. Investigations are ongoing.
SAPwned: SAP AI vulnerabilities expose customers' cloud environments and privat
The Wiz Research Team identified vulnerabilities in SAP AI Core, enabling unauthorized access to customer data. Reported issues included network bypass, AWS token leaks, and exposure of sensitive information. SAP addressed and resolved all vulnerabilities.
How to pwn a billion dollar VC firm using inspect element
A security researcher found sensitive data from VC firm a16z exposed on their website. Despite the potential risks, a16z didn't offer a bug bounty. The incident stresses the need for responsible disclosure and robust security practices.
Revealing the Inner Structure of AWS Session Tokens
A study by Tal Be'ery reverse-engineered AWS Session Tokens, revealing their structure and developing tools for analysis. This research aids security professionals in understanding AWS's authentication protocols to prevent attacks.
6 commentsThe “Shadow Resources” attack vector, which has since been addressed by AWS, stemmed from the automatic generation of S3 buckets by various AWS services, including:
- CloudFormation
- Glue
- EMR
- SageMaker
- ServiceCatalog
- CodeStar
And s3 buckets are not scoped to an account and their ARN is global and doesn't contain the account id.
For the same reason i advice anybody to always use random suffixes (easily done in Terraform with name_prefix) when generating bucket names.
Related
Well, it's just an AWS Account ID
AWS Account IDs are crucial for cloud security, aiding in resource sharing and reconnaissance. They facilitate IAM entity enumeration, service discovery, and security testing, highlighting AWS footprint insights for potential attacks. An upcoming course on securing AWS environments is recommended.
IdentifyMobile incident exposed 200M records from companies
A security incident at IdentifyMobile exposed 200 million SMS messages from 200+ companies due to an unsecured AWS S3 server. Sensitive data like 2FA codes and transaction numbers were compromised. Investigations are ongoing.
SAPwned: SAP AI vulnerabilities expose customers' cloud environments and privat
The Wiz Research Team identified vulnerabilities in SAP AI Core, enabling unauthorized access to customer data. Reported issues included network bypass, AWS token leaks, and exposure of sensitive information. SAP addressed and resolved all vulnerabilities.
How to pwn a billion dollar VC firm using inspect element
A security researcher found sensitive data from VC firm a16z exposed on their website. Despite the potential risks, a16z didn't offer a bug bounty. The incident stresses the need for responsible disclosure and robust security practices.
Revealing the Inner Structure of AWS Session Tokens
A study by Tal Be'ery reverse-engineered AWS Session Tokens, revealing their structure and developing tools for analysis. This research aids security professionals in understanding AWS's authentication protocols to prevent attacks.