Amazon Web Services fixes “Superglue” vulnerability
Orca’s security research team has publicly disclosed flaws in two Amazon Web Services (AWS) tools that could have allowed unauthorized access to accounts and been used to leak sensitive files. Both bugs have been fully fixed.
The first flaw, which Orca dubbed Superglue, was a glitch in AWS Glue that users could exploit to gain access to information maintained by other AWS Glue users.
Amazon Web Services (AWS) describes Glue as “a serverless data integration service that makes it easy to discover, prepare, and combine data for analysis, machine learning, and application development.” It’s fair to say that AWS customers use it to manage large amounts of data. So big, in fact, that AWS lets Glue users store up to 1 million objects for free.
“We were able to identify a feature in AWS Glue that could be leveraged to obtain credentials for a role within the AWS service’s own account,” explains Orca, “which provided us with full API access to internal department. In combination with internal misconfiguration in Glue’s internal service API, we were able to further increase privileges within the account to the point where we had unrestricted access to all service resources in the region, including privileges full administration. »
The company claims to have been able to exploit this flaw to:
Assume roles in AWS customer accounts that are trusted by the Glue service. In every account that uses Glue, there is at least one such role.
Query and modify AWS Glue service-related resources in a region. This includes, but is not limited to, metadata for: paste jobs, development endpoints, workflows, crawlers, and triggers.
Orca claims to have confirmed the ability to access information managed by other AWS Glue users using numerous accounts it controlled; the company did not have access to anyone else’s data while it investigated this flaw. It also states that AWS responded to its disclosure within hours, had a partial mitigation the next day, and fully mitigated the issue “a few days later.”
The second flaw affected AWS CloudFormation, which AWS says “allows you to model, provision, and manage AWS and third-party resources by treating infrastructure as code.” (This “infrastructure-as-code” paradigm has become increasingly popular among enterprises looking to make setting up and maintaining their networks and tools more convenient as they move to the cloud.)
Orca called the second flaw BreakingFormation and said it “could have been used to leak sensitive files found on the vulnerable service machine and make server-side requests (SSRF) susceptible to unauthorized disclosure of user credentials. internal AWS infrastructure services”. It says the flaw was “fully mitigated within 6 days” of being disclosed to AWS.
BleepingComputer notes that AWS Vice President Colm MacCárthaigh provided more information about the BreakingFormation flaw on Twitter. MacCárthaigh’s first tweet responded to a claim that the flaw showed Orca had “accessed all AWS resources from all AWS accounts!” with the following:
Recommended by our editors
Orca CTO Yoav Alon also tweeted that CloudFormation’s reach was not as wide as the original tweet implied. MacCárthaigh continued with a thread about Orca’s findings:
“We immediately reported the issue to AWS,” says Orca, “who acted quickly to resolve it. The AWS security team coded a fix in less than 25 hours and it reached all AWS Regions in 6 days. Orca Security researchers helped test the patch to ensure this vulnerability was properly addressed, and we were able to verify that it could no longer be exploited.”
In a statement, Amazon said, “We are aware of an issue with AWS Glue ETL and AWS CloudFormation and can confirm that no AWS customer accounts or data were affected. After learning of this issue from Orca Security, we took immediate action to mitigate it within hours and added additional checks to services to prevent recurrence.”
Editor’s note: This story has been updated with comments from Amazon.
Do you like what you read ?
Register for Security Watch newsletter for our top privacy and security stories delivered straight to your inbox.