Amazon Web Services (AWS) fixed an AWS Glue security issue that allowed attackers to access and modify data related to other AWS customer accounts.
AWS Glue is a serverless, cloud-based data integration service that helps discover, prepare, and combine data for application development, machine learning, and analytics.
The flaw stemmed from an exploitable AWS Glue feature and internal service API misconfiguration that allowed security researchers at Orca Security to elevate privileges to access all service resources in the region .
“During our research, we were able to identify a feature in AWS Glue that could be leveraged to obtain credentials for a role within the AWS service’s own account, which provided us with full access to the Internal Service API”, Explain Yanir Tsarimi, cloud security researcher at Orca Security.
“In combination with internal misconfiguration in Glue’s internal service API, we were able to further increase privileges within the account to the point where we had unrestricted access to all service resources in the region, including full administrative privileges.”
The researchers added that their findings were discovered using only AWS accounts owned by Orca Security and that they did not have access to information or data belonging to other AWS customers during their research.
While investigating the vulnerability, researchers assumed Glue-approved roles in other AWS customer accounts (every account with Glue access has at least one of these roles).
They were also able to query and modify AWS Glue service-related resources in an AWS Region, including but not limited to Glue job metadata, development endpoints, workflows, bots, and more. exploration and triggers.
The AWS Glue service team reproduced and confirmed the flaw within hours of receiving the report from Orca Security and partially mitigated the issue globally the next morning.
They deployed a full Superglue vulnerability mitigation in just a few days, blocking would-be attackers from accessing AWS Glue customer data.
The AWS security team also patched a second vulnerability discovered by Orca Security in the AWS CloudFormation service (nicknamed BreakingFormation).
According to the researchers, this XXE (XML External Entity) flaw led to the disclosure of files and credentials of internal AWS infrastructure services.
“Our research team believes, given the data found on the host (including credentials and data involving internal endpoints), that an attacker could exploit this vulnerability to bypass tenant limits, giving them privileged access to any resource in AWS,” said Tzah Pahima of Orca Security. added.
However, AWS VP Colm MacCárthaigh denied the security firm’s claims, saying that the BreakingFormation bug could only have been used to access host-level credentials and that AWS CloudFormation hosts do not have access to resources in all AWS accounts.
Ok here is my quick summary of this problem: @orcasec discovered and reported an issue that led to SSRF on hosts and could retrieve credentials and configuration at the localhost. Great find! 1/n https://t.co/R2UsSrOdZ7
– Colm MacCarthaigh (@colmmacc) January 13, 2022
- Zoom security issues: Everything that’s gone wrong (so far)
- Microsoft October 2021 Patch Tuesday fixes 4 zero-days, 71 flaws
- Microsoft September 2021 Patch Tuesday fixes 2 zero-days, 60 flaws
- Microsoft November 2021 Patch Tuesday fixes 6 zero-days, 55 flaws
- Orca Security CEO Discusses Radical Approach to Cloud Security