Latest ‘ALBeast’ Security Flaw Reveals Vulnerability in AWS Application Load Balancer
Approximately 15,000 applications that rely on Amazon Web Services’ (AWS) Application Load Balancer (ALB) for verification may be at risk due to a configuration-based flaw that could enable offenders to bypass access restrictions and compromise the applications.
This revelation comes from Israeli cybersecurity firm Miggo, which identified the issue as ALBeast.
“This loophole permits malicious individuals to directly reach the impacted applications, particularly when they are exposed to the web,” explained security analyst Liad Eliyahu stated.
ALB, an Amazon service, is intended to direct HTTP and HTTPS traffic to designated applications based on the request characteristics. It also facilitates the transfer of authentication responsibilities from applications to the ALB.
“Amazon notes on its website that the Application Load Balancer securely authenticates users upon accessing cloud applications.
“Application Load Balancer is seamlessly connected to Amazon Cognito, enabling users to authenticate via popular social identity providers such as Google, Facebook, and Amazon, as well as enterprise identity providers like Microsoft Azure Active Directory via SAML or any OpenID Connect-compliant identity provider (IdP).”
The essence of the attack involves an adversary setting up their ALB instance with their authentication setup in their account.
In the subsequent phase, the ALB is utilized to validate a token under the attacker’s control and amend the ALB configuration by fabricating a genuine ALB-signed token using the victim’s identity, thereby leveraging it to infiltrate the target application without undergoing authentication and authorization checks.
Put differently, the scheme aims to have AWS validate the token as if it originated from the victim system and leverage it for application access, assuming it is either publicly accessible or that the attacker has existing access to it.
Following responsible disclosure in April 2024, Amazon has revised the authentication feature documentation and included new code for verifying the signatory.
“To ensure security, it is crucial to authenticate the signature prior to any authorization based on the assertions and ascertain that the signer field in the JWT header includes the anticipated Application Load Balancer ARN,” Amazon explicitly advises in its documentation.
“As a security precaution, it is recommended to limit your targets to receive traffic solely from your Application Load Balancer. This can be achieved by configuring your targets’ security group to reference the load balancer’s security group ID.”
This disclosure coincides with Acronis revealing how a misconfiguration in Microsoft Exchange could expose vulnerabilities to email spoofing attacks, letting attackers circumvent DKIM, DMARC, and SPF protections and send fraudulent emails appearing as reputable entities.
“Failure to secure your Exchange Online setup to accept emails only from your third-party service or not activating enhanced filtering for connectors would allow anyone to send emails to you via ourcompany.protection.outlook.com or ourcompany.mail.protection.outlook.com, bypassing DMARC (SPF and DKIM) verification,” the company explained.
About Author
