An AWS Configuration Issue Could Expose Thousands of Web Apps

A vulnerability related to Amazon Web Service's traffic-routing work known arsenic Application Load Balancer could person been exploited by an attacker to bypass entree controls and compromise web applications, according to caller research. The flaw stems from a lawsuit implementation issue, meaning it isn't caused by a bundle bug. Instead, the vulnerability was introduced by the mode AWS users acceptable up authentication with Application Load Balancer.

Implementation issues are a important constituent of unreality information successful the aforesaid mode that the contents of an armored harmless aren't protected if the doorway is near ajar. Researchers from the information steadfast Miggo found that, depending connected however Application Load Balancer authentication was acceptable up, an attacker could perchance manipulate its handoff to a third-party firm authentication work to entree the people web exertion and presumption oregon exfiltrate data.

The researchers accidental that looking astatine publically reachable web applications, they person identified much than 15,000 that look to person susceptible configurations. AWS disputes this estimate, though, and says that “a tiny fraction of a percent of AWS customers person applications perchance misconfigured successful this way, importantly less than the researchers' estimate.” The institution besides says that it has contacted each lawsuit connected its shorter database to urge a much unafraid implementation. AWS does not person entree oregon visibility into its clients' unreality environments, though, truthful immoderate nonstop fig is conscionable an estimate.

The Miggo researchers accidental they came crossed the occupation portion moving with a client. This “was discovered successful real-life accumulation environments,” Miggo CEO Daniel Shechter says. “We observed a weird behaviour successful a lawsuit system—the validation process seemed similar it was lone being done partially, similar determination was thing missing. This truly shows however heavy the interdependencies spell betwixt the lawsuit and the vendor.”

To exploit the implementation issue, an attacker would acceptable up an AWS relationship and an Application Load Balancer, and past motion their ain authentication token arsenic usual. Next, the attacker would marque configuration changes truthful it would look their target's authentication work issued the token. Then the attacker would person AWS motion the token arsenic if it had legitimately originated from the target's strategy and usage it to entree the people application. The onslaught indispensable specifically people a misconfigured exertion that is publically accessible oregon that the attacker already has entree to, but would let them to escalate their privileges successful the system.

Amazon Web Services says that the institution does not presumption token forging arsenic a vulnerability successful Application Load Balancer due to the fact that it is fundamentally an expected result of choosing to configure authentication successful a peculiar way. But aft the Miggo researchers archetypal disclosed their findings to AWS astatine the opening of April, the institution made 2 documentation changes geared astatine updating their implementation recommendations for Application Load Balancer authentication. One, from May 1, included guidance to add validation earlier Application Load Balancer volition motion tokens. And connected July 19, the institution besides added an explicit proposal that users acceptable their systems to person postulation from lone their ain Application Load Balancer using a diagnostic called “security groups.”