Aqua security reports finding vulnerabilities in AWS cloud services

According to the research, a new attack vector could allow unauthorised users to breach AWS accounts through malicious code embedded in S3 buckets.

 

Please note – the vulnerabilities were promptly fixed by AWS!

Cloud native security specialist Aqua Security has unveiled new research by its cyber research team, Nautilus, addressing critical vulnerabilities in six AWS services. The potential impacts include remote code execution (RCE), full-service user takeover which might provide powerful administrative access, manipulation of AI modules, exposing sensitive data, data exfiltration and denial of service. The vulnerabilities were quickly acknowledged and fixed by AWS.

“When creating a new service in AWS, there are internal dependencies and complexities that cloud users and developers might not be aware of,” said Yakir Kadkoda, Lead Researcher at Aqua Security. “We found that under some conditions, an attacker could exploit gaps to gain access to and even take over AWS accounts.”

The vulnerabilities were found in the following AWS services: CloudFormation, Glue, EMR, SageMaker, ServiceCatalog and CodeStar. When creating any of these services in a new region for the first time, an S3 bucket is automatically created with a certain name. This name is divided into the name of the service of the AWS account ID (in most services mentioned above) and the name of the region. Thus, across all AWS regions, the bucket name remains the same, differing only by the region name.

Aqua Nautilus uncovered how attackers could discover the buckets’ names or guess predictable parts of the bucket name. Subsequently, using a method dubbed “Bucket Monopoly,” the attackers can create these buckets in advance in all available regions, essentially performing a landgrab, then store malicious code in the bucket.

When the targeted organization enables the service in a new region for the first time, the malicious code will be unknowingly executed by the targeted organization, potentially resulting in the creation of an admin user in the targeted organization granting control to the attackers.

“Because S3 bucket names are unique across all of AWS, if you capture a bucket, it’s yours and no one else can claim that name,” said Ofek Itach, AquaNautilus Security Researcher. “We demonstrated how S3 can become a ‘shadow resource,’ and how easily attackers can discover or guess it and exploit it.”

“This finding is a significant part of Nautilus and Aqua’s mission,” said Kadkoda. “Our aim is to improve the security of the cloud and enable organizations to use it safely. Our responsible disclosure of findings to the AWS security team, and their professional response, prevented what could have been a massive initial access point for attackers, protecting the cloud environments of many organizations.”

The research was first presented at Black Hat on Wednesday, August 7, and the blog with full details will be available following the DEF CON session on Friday, August 9 at 2:30pm PST / 5:30pm EST at Aquasec.com.