AWS offers a variety of technologies that help organizations adopt cloud-based solutions and often promote overall cybersecurity. As with any complex technology, AWS solutions are also exposed to the risk of security vulnerabilities. These are weaknesses, whether known or unknown, that malicious threat actors can exploit in order to:
While AWS employs several layers of security that would prevent any isolated vulnerability in a single AWS solution to cause any tangible damage or disrupt a service, AWS users should ensure that their AWS systems are adequately secured against all known security vulnerabilities.
Here’s a list of some of the most common AWS vulnerabilities that were exposed during the last few years.
AppSync cross-tenant vulnerability
A cross-tenant vulnerability in the AWS AppSync service allowed hackers to assume multiple IAM roles for other users subscribed to the service. The vulnerability was identified in September 2022 and a fix was issued within a few days.
The vulnerability is related to the process that AWS offers for AppSync users to invoke APIs for other AWS services that can be integrated to AppSync but may not have a predefined resolver that interacts with AppSync to perform this task. Researchers found that AppSync could be configured with the required IAM role assignments to AppSynch users with fewer privileges.
The validation process for these role assignments was bypassed, allowing researchers to create AppSync role assignments with unauthorized escalated IAM permissions.
Classic buffer overrun
AWS has reported several instances of buffer overrun vulnerabilities in recent years. Buffer overruns refer to the process of attempting to inject data into a memory buffer beyond its memory capacity. As a result, the existing data is removed, replaced or interpreted incorrectly by a server receiving data from an over-run memory buffer.
These memory buffers are typically used in communication and security protocols in the TLS/SSL layers, as well as other authentication management systems at the network layer.
In 2022, AWS found that the TLS/SSL Web authentication process is vulnerable to buffer overflow, which could result in denial of service and remote execution attacks. The vulnerability involved verification of the X.509 certificate: once the buffer overflow in name constraint checking is triggered, and if Certification Authority signs the malicious certificate or the server approves the certificate verification without tracking the trusted certificate issuer, a malicious client can successfully overcome the security authentication process. This vulnerability was deemed critical by AWS.
Similar classic buffer overflow vulnerabilities have also been found in openSUSE linux integrations and OpenSC smart card IoT integrations with AWS services. The vulnerabilities allow hackers to create malformed configuration files that bypass the security verification process or integrity checks. The heap-based buffer out-of-band data transfer with the vulnerable systems would have led to:
- System crashes
- Possible denial of service or information leak incidents
An issue discovered in Amazon AWS VPN Client 2.0.0
AWS offers fully managed VPN solutions that allows organizations to access private networks and AWS services through secure SSL channels.
The AWS VPN client 2.0.0 was affected by two major vulnerabilities — these could allow hackers to escalate access privileges and leak hash values that can be used to reverse engineer login credentials of legitimate users.
Vulnerability 1: OpenVPN config files
The first vulnerability relates to the validation of OpenVPN config files: external configuration commands can be injected into these files and configured to run the AWS VPN client with escalated SYSTEM privileges. This allows a hacker to acquire partial or complete control over AWS VPN configurations, creating a risk of privilege escalation and denial of service attacks.
Vulnerability 2: Reference paths for authentication
The second vulnerability discloses the reference paths for security authentication. When the VPN validates the file path, it leaks the network level authentication hash function value, which could be used to decrypt user credential details such as passwords and pin codes.
These vulnerabilities were resolved in the AWS VPN client 3.0.0.
The power of security research & bug bounty programs
Now that the information on these vulnerabilities is public, any client-facing tool that has not been patched and updated from the user-end is still exposed to cybersecurity risks. In fact, that is exactly how cybercrime underground rings operate in the Dark Web: they discover a vulnerability, develop an exploit toolkit and target any user that still uses vulnerable technologies.
While AWS automates most of this process for its SaaS solutions, a zero-day vulnerability that is discovered by hackers and the solution provider, but a security patch is not yet released, can still be exploited.
What is Splunk?
This posting does not necessarily represent Splunk's position, strategies or opinion.