Critical AWS Vulnerabilities Allow S3 Attack Bonanza

  /     /     /  
Publicated : 23/11/2024   Category : security


Critical AWS Vulnerabilities Allow S3 Attack Bonanza


Researchers at Aqua Security discovered the Shadow Resource attack vector and the Bucket Monopoly problem, where threat actors can guess the name of S3 buckets based on their public account IDs.



BLACK HAT USA – Las Vegas – Thursday, Aug. 8 –
Six critical vulnerabilities in Amazon Web Services (AWS) could have allowed threat actors to target organizations with remote code execution (RCE), exfiltration, denial-of-service attacks, or even account takeovers.
Most of the vulnerabilities were considered critical because they gave access to other accounts with minimal effort from the attacker perspective, Aquas lead security researcher Yakir Kadkoda tells Dark Reading.
During a briefing on Wednesday at
Black Hat USA
in Las Vegas, researchers at Aqua Security revealed that they discovered new attack vectors using bugs Bucket Monopoly and Shadow Resources. The impacted AWS services include Cloud Formation, CodeStar, EMR, Glue, SageMaker, and Service Catalog.
Upon discovering the vulnerabilities in February, the Aqua researchers reported them to AWS, which confirmed the issues and rolled out mitigations to the respective services piecemeal between March and June. However, open source iterations could still be vulnerable.
The researchers first uncovered Bucket Monopoly, an attack method that can significantly boost the success rate of attacks that exploit AWS S3 buckets — i.e., online storage containers for managing objects, such as files or images, and resources required for storing operational data.
The issue is that S3 storage buckets were designed to use predictable, easy-to-guess AWS account IDs instead of a unique identifier for each bucket name using a hash or qualifier.
Sometimes the only thing that an attacker needs to know about an organization is their public account ID for AWS, which is not considered sensitive data right now, but we recommend it is something that an organization should keep as a secret, Kadkoda says.
To mitigate the issue, AWS changed the default configurations.
All of the services have been fixed by AWS in that they no longer create the bucket name automatically, he explains. AWS now adds a random identifier or sequence number if the desired bucket name already exists.
Security researchers and AWS customers have
long debated
whether AWS account IDs should be public or private. AWS cautions customers against sharing credentials and advises them to use and share account IDs carefully. However, according to AWS documentation on account identities, account IDs are not considered secret, sensitive, or confidential information.
Aquas researchers disagree.
Based on our research, we strongly believe that account IDs should be considered secrets since there may be other kinds of similar exploits that could be carried out based on knowing an account ID, Kadkoda notes in a detailed technical report on the vulnerabilities set to be published on Friday. Although the common assumption is that knowing an account ID alone is not sufficient to hack an account, attackers might still use it to
gather information
about your AWS account and more.
An AWS spokesperson declined to comment on that specifically, but did say that AWS was aware of this research.
We can confirm that we have fixed this issue, all services are operating as expected, and no customer action is required,” the spokesperson says.
Kadkoda says his team also discovered the Shadow Resources attack vector, which can create AWS S3 service components unknown to the account owner.
The researchers initially discovered the problem in the AWS CloudFormation service, where an attacker could engage in resource squatting by creating accounts in unused AWS geographic regions with the same name as legitimate, existing stacks. Once the victim stored their workloads in a new region, they could connect to it and then unknowingly use attacker-controlled S3 buckets.
Thats because when using the service with the AWS Management Console to create a new stack, AWS automatically creates an S3 bucket to store CloudFormation templates. The name of the S3 bucket is the same across all AWS regions, which is how an attacker can guess the account name and gain access to it.
I can take over your S3 bucket and just poison the configuration and replace it, Aqua security researcher Assaf Morag says. Its a huge thing because in between the lines, with a remote code execution, you can grab the accounts of any company in the world.
All services require configuration files, and AWS uses S3 buckets as its file system to store configurations.
In most cases, these configurations are really significant because these are the instructions to the services, Morag says. It could be a YAML file or other things that the service needs to use behind the scenes.
Given that customers can have hundreds or thousands of distinct AWS accounts spread across regions worldwide, exploits of shadow services could have been significant, Morag emphasizes. Where there were any victims of the vulnerability is not known.
The potential of being attacked or being a victim could have been massive, he says.
While AWS has mitigated the vulnerabilities impacting its services, Kadkoda warns that the attack vectors could still impact open source projects deployed in their AWS environments. Many open source projects automatically create
S3 buckets
or direct users to deploy them, he notes.
We found a lot of open source projects vulnerable to this vector because theyre using them behind the scenes with predictable bucket names, Kadkoda says.
Users should check to see whether each existing buckets name has been claimed elsewhere, and, if so, they should rename it.
In all cases, Kadkoda and Morag say users should avoid creating S3 buckets with predictable or static identifiers in the first place. Instead, they should create an S3 bucket name with a unique hash or a random identifier for each region and account to prevent attackers from claiming them first.

Last News

▸ Scan suggests Heartbleed patches may not have been successful. ◂
Discovered: 23/12/2024
Category: security

▸ IoT Devices on Average Have 25 Vulnerabilities ◂
Discovered: 23/12/2024
Category: security

▸ DHS-funded SWAMP scans code for bugs. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Critical AWS Vulnerabilities Allow S3 Attack Bonanza