These two major AWS security flaws could have left user accounts wide open
Patches were issued within six days
Amazon Web Services (AWS) has been forced to patch two major security vulnerabilities, which could have been used to steal sensitive data, reports have claimed.
The two vulnerabilities in Amazon’s cloud computing arm were discovered by cybersecurity researchers from Orca Security, and were dubbed Superglue and BreakingFormation.
Superglue exploits an issue in AWS Glue, allowing users to access data managed by other Glue users. AWS Glue is a service which customers use to store huge swathes of data.
A fix within a day
"We were able to identify a feature in AWS Glue that could be exploited to obtain credentials to a role within the AWS service’s own account," Orca said, "which provided us full access to the internal service API. In combination with an internal misconfiguration in the Glue internal service API, we were able to further escalate privileges within the account to the point where we had unrestricted access to all resources for the service in the region, including full administrative privileges."
By taking advantage of the flaw, Orca’s researchers managed to do a number of potentially malicious things, such as assume roles in AWS customer accounts trusted by Glue; query and modify AWS Glue service-related resources in a specific region; discovered a way to access data managed by other Glue users. It’s important to note that Orca did not actually gain access to anyone else’s data.
BreakingFormation leverages a vulnerability found in AWS CloudFormation, a tool that lets users “model, provision, and manage AWS and third-party resources by treating infrastructure as a code.”
According to Orca, this vulnerability could have been used to steal sensitive data from third parties.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Orca’s researchers tested the fixes (which allegedly took AWS roughly 25 hours to code) and found that the vulnerabilities were fully patched and no longer exploitable.
- You might also want to check out our list of the best cloud storage providers right now
Via: PCMag
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.