Professionals Discover Major AWS Vulnerabilities Resulting in RCE, Data Breach, and Full-Service Seizures
Security analysts have unearthed numerous severe weaknesses in Amazon Web Services (AWS) offerings that, if exploited successfully, could lead to significant repercussions.
“The consequences of these vulnerabilities span from remote code execution (RCE), complete user account takeover (potentially granting extensive administrative privileges), manipulation of AI components, exposure of sensitive data, unauthorized data extraction, and denial of service,” cloud security company Aqua stated in a comprehensive report shared with The Hacker News.
After responsibly reporting the issues in February 2024, Amazon remedied the deficiencies progressively over several months from March to June. The discoveries were showcased at Black Hat USA 2024.
At the core of the problem, known as Bucket Monopoly, lies an exploitation method named Shadow Resource, where an AWS S3 bucket is automatically generated when utilizing services such as CloudFormation, Glue, EMR, SageMaker, ServiceCatalog, and CodeStar.
The naming convention for the S3 bucket created in this manner is both distinctive and follows a predetermined format (“cf-templates-{Hash}-{Region}”). An attacker could exploit this behavior to set up buckets in idle AWS regions and anticipate a legitimate AWS customer to use one of the vulnerable services, thereby achieving covert access to the S3 bucket’s contents.
Exploiting the permissions granted to the adversary-controlled S3 bucket, the method can be utilized to elevate privileges and instigate a denial of service scenario, execute code, tamper with or steal data, and even acquire full control over the victim’s account without their awareness.
To enhance their success rate, perpetrators employing Bucket Monopoly can create unclaimed buckets in all feasible regions in advance and store malicious code within the bucket. When the targeted entity activates one of the susceptible services in a new region for the first time, the malware will be covertly executed, potentially resulting in the establishment of an admin user that could provide control to the attackers.
 |
| Overview of CloudFormation vulnerability |
However, it’s crucial to acknowledge that the attacker must await the victim’s deployment of a new CloudFormation stack in a fresh region for the first time to effectively launch the assault. Adapting the CloudFormation template file within the S3 bucket to create a rogue admin user also hinges on whether the victim’s account possesses the authority to manage IAM roles.
 |
| Overview of Glue vulnerability |
 |
| Overview of CodeStar vulnerability |
Aqua highlighted that five other AWS services adopt a similar naming convention for their S3 buckets – {Service Prefix}-{AWS Account ID}-{Region} – consequently rendering them susceptible to Shadow Resource assaults and ultimately allowing a malicious actor to elevate privileges and carry out harmful actions, including DoS attacks, exposure of information, data tampering, and unauthorized code execution –
- AWS Glue: aws-glue-assets-{Account-ID}-{Region}
- AWS Elastic MapReduce (EMR): aws-emr-studio -{Account-ID}-{Region}
- AWS SageMaker: sagemaker-{Region}-{Account-ID}
- AWS CodeStar: aws-codestar-{Region}-{Account-ID}
- AWS Service Catalog: cf-templates-{Hash}-{Region}
The company also emphasized that AWS account IDs should be treated as confidential information, contrary to Amazon’s claims in its documentation, as they could facilitate similar attacks.
“This attack vector impacts not only AWS offerings but also various open-source projects used by enterprises to deploy resources in their AWS environments,” Aqua remarked. “Many open-source projects automatically create S3 buckets as part of their operations or advise users to establish S3 buckets.”
“Instead of utilizing predictable or fixed identifiers in the bucket name, it is advisable to generate a unique hash or a random identifier for each region and account, and include this value in the S3 bucket’s name. This practice aids in safeguarding against premature bucket claims by attackers.”
About Author
