Researchers Call for CVE Approach for Cloud Vulnerabilities

New research suggests isolation among cloud customer accounts may not be a given — and the researchers behind the findings issue a call to action for cloud security.

BLACK HAT USA 2021 - Las Vegas - A pair of researchers who have been rooting out security flaws and weaknesses in cloud services over the past year revealed here this week new issues that they say break the isolation among different customers Amazon Web Services (AWS) accounts in the cloud.
Such cross-account cloud service vulnerabilities likely are more widespread than AWS, too, researchers Ami Luttwak and Shir Tamari of cloud security startup Wiz.io said of their findings.
The cross-account flaws suggest a chilling reality for cloud customers: that their cloud instances arent necessarily isolated from those of the providers other customers, according to the research. We showed that its possible to manipulate services in AWS to access to other services, Tamari said in an interview. That could allow an attacker to read data in another cloud customers S3 storage bucket, or send and store data from their cloud account to another customers for nefarious purposes, the researchers demonstrated.
But the three security flaws the researchers found — vulnerabilities in AWS Config, CloudTrail, and AWS Serverless Config that AWS fixed earlier this year — merely reflect a bigger problem with securing cloud services. Luttwak and Tamari say their latest findings underscore the need for a CVE-type repository where cloud providers and researchers can share vulnerability information, and they plan to pursue an industry initiative that does just that.
We think that cloud vulnerabilities are an industry problem. How do we make sure everybody knows about this vuln? Every day, were finding these [various] kinds of vulnerabilities in cloud services, Luttwak told attendees during the pairs presentation this week on the cross-account flaws they found in AWS late last year.
Its about us as an industry and the need to share that information, said Luttwak, who has approached the Cloud Security Alliance (CSA) with the proposed concept. The industry needs a database that lists cloud vulns, a CVE system for the cloud, he explained.
That would provide a formal accounting of cloud vulns and include their severity ratings as well as the status of their fixes or patches. We need to be able to identify vulnerabilities and have good tracking numbers so customers and vendors can track those issues, and have a severity score for fixing those vulnerabilities, Tamari said in an interview.
Luttwak and Tamaris aha moment that led to their call to action for a centralized vulnerability tracking system for the cloud came when they found that five months after AWS had fixed the cross-account flaws they reported to the cloud services firm, some 90% of AWS Serverless Repository buckets were still improperly configured. So AWS customers apparently had not applied the new scoping condition setting in Serverless Repository, which AWS had alerted customers about via email and the AWS Personal Health Dashboard.
Most are still using it configured [incorrectly] and with full access to their S3 storage buckets, Luttwak explained.
AWS sees the researchers findings differently, however. An AWS spokesperson said that the issues reported by the researchers arent vulnerabilities but instead configuration choices that some customers use and others prefer not to use.
More Vulns on the Horizon
Tamari noted that cloud security research is still a relatively new discipline, and theres plenty of unknown issues yet to be uncovered. There are so many new features [for cloud services], and its very hard to track all the models and updates, he said, and cloud services can easily be misconfigured by an organization.
The idea [is] that there are so many cloud services vulnerable to cross-connect vulns, we want the community to help search for them, he said. The hope is that sharing those findings among the security community could help raise awareness among organizations adopting and configuring cloud services.

Last News
▸ Data Classification Improves Risk Management. ◂ Discovered: 26/12/2024 Category: security	▸ Google has three months to comply with privacy law. ◂ Discovered: 26/12/2024 Category: security	▸ Firefox improves Do Not Track feature. ◂ Discovered: 26/12/2024 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Researchers Call for CVE Approach for Cloud Vulnerabilities