Two critical cloud security vulnerabilities in Amazon AWS that allow file and credentials disclosure

A report by cloud security firm Orca Security points to the detection of a set of zero-day vulnerabilities in various Amazon AWS Cloud deployments. The successful exploitation of these errors would allow the leakage of user files and credentials from internal company services.

Identified by researcher Tzah Pahima, the first vulnerability resides in AWS CloudFormation and was described as an XXE bug that would allow threat actors to extract sensitive files on vulnerable systems, in addition to deploying server-side request forgery (SSRF) attacks.

The expert adds that the template rendering feature in CloudFormation made it possible to trigger the XXE vulnerability and eventually access the sensitive files on the server. Successful exploitation of the attack would allow access to configuration files and information about AWS servers. As mentioned above, this information includes access credentials and other data related to internal endpoints.

Another notable flaw lies in the AWS Glue service and its exploitation would allow attackers to create resources and access data of other affected customers. The researcher mentions that exploiting this bug was quite a lengthy process, but internal configuration errors in Amazon AWS Glue make it easy to abuse this flaw.

Further analysis revealed that another feature in AWS Glue could be abused to extract the credentials of users in charge of AWS accounts and access the internal service API. The chained exploitation of two faults could also lead to a scenario of privilege escalation.

Exploiting this flaw allowed the researcher to deploy some malicious tasks, including:

  • Take roles in AWS customer accounts trusted by the Glue service
  • Access and modify resources related to the AWS Glue service in a given region, including metadata for Glue jobs, development endpoints, and workflows

The flaws have already been reported and addressed by Amazon. The good news is that, so far, no active exploitation attempts have been detected.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.