09-08-2024Ravie LakshmananCloud Security / Data Protection

Cybersecurity researchers have discovered multiple critical flaws in Amazon Web Services (AWS) services that could have serious consequences if successfully exploited.

“The impact of these vulnerabilities ranges from remote code execution (RCE), full user takeover (which can provide powerful administrative access), manipulation of AI modules, sensitive data exposure, data exfiltration, and denial of service,” cloud security firm Aqua said in a detailed report shared with The Hacker News.

Following the responsible disclosure in February 2024, Amazon addressed the deficiencies over several months from March to June. The findings were presented at Black Hat USA 2024.

At the heart of the problem, dubbed Bucket Monopoly, is an attack vector called Shadow Resource. In this case, it refers to the automated creation of an AWS S3 bucket when using services like CloudFormation, Glue, EMR, SageMaker, ServiceCatalog, and CodeStar.

The S3 bucket name created in this way is both unique and follows a predefined naming convention (“cf-templates-{Hash}-{Region}”). An attacker could abuse this behavior to set up buckets in unused AWS regions and wait for a legitimate AWS customer to use one of the susceptible services to surreptitiously access the contents of the S3 bucket.

Based on the permissions granted to the adversary-controlled S3 bucket, the approach can be used to trigger a DoS condition, execute code, manipulate or steal data, and even gain full control over the victim’s account without the user’s knowledge.

To maximize their chances of success, attackers can use Bucket Monopoly to pre-create unclaimed buckets in all available regions and store malicious code in the bucket. When the targeted organization first enables one of the vulnerable services in a new region, the malicious code will be executed unknowingly, potentially resulting in the creation of an admin user that can grant control to the attackers.

CloudFormation Vulnerability Overview

However, it is important to note that the attacker must wait until the victim deploys a new CloudFormation stack in a new region for the first time to successfully launch the attack. Modifying the CloudFormation template file in the S3 bucket to create a malicious admin user also relies on the victim account having permission to manage IAM roles.

Glue Vulnerability Overview

CodeStar Vulnerability Overview

Aqua said it found five other AWS services that rely on a similar naming methodology for the S3 buckets – {Service Prefix}-{AWS Account ID}-{Region} – exposing them to Shadow Resource attacks and ultimately allowing a threat actor to escalate privileges and perform malicious actions including DoS, information disclosure, data manipulation, and arbitrary code execution.

• AWS Glue: aws-glue-assets-{Account ID}-{Region}
• AWS Elastic MapReduce (EMR): aws-emr-studio -{Account ID}-{Region}
• AWS SageMaker: sagemaker-{Region}-{Account ID}
• AWS CodeStar: aws-codestar-{Region}-{Account ID}
• AWS Service Catalog: cf-templates-{Hash}-{Region}

The company also noted that AWS account IDs should be considered secret, contrary to what Amazon claims in its documentation, as they can be used to conduct similar attacks.

“This attack vector not only affects AWS services, but also many open source projects that organizations use to deploy resources in their AWS environments,” Aqua said. “Many open source projects automatically create S3 buckets as part of their functionality or instruct their users to deploy S3 buckets.”

“Instead of using predictable or static identifiers in the bucket name, it is recommended to generate a unique hash or random identifier for each region and account, and include that value in the S3 bucket name. This approach helps protect against attackers who prematurely claim your bucket.”