AWS Fixes Vulnerability That Could Allow Access to Customer Data via AWS Glue

news

Amazon Web Services (AWS) announced that it has addressed a security issue in AWS Glue that could allow attackers to access and alter data linked to other AWS customer accounts

We have discovered a critical security issue in the AWS Glue service that allows an attacker to create resources and access data for other AWS Glue users. This vulnerability is a complex multi-step process, ultimately made possible by an internal misconfiguration within AWS Glue. the Glue service is a very attractive target due to its access to large amounts of data.

AWS Glue is a serverless cloud data integration service that helps you discover, prepare, and combine data for app development, machine learning, and analytics.

This vulnerability is due to an exploitable AWS Glue feature and misconfiguration of internal service APIs, which allowed Orca Security’s security researchers to elevate privileges and gain access to all service resources in the region.

In the course of our research, we were able to confirm that using the AWS Glue feature to obtain credentials to roles within the AWS service’s own account allows full access to the internal service APIs

In combination with Glue’s misconfiguration of the internal service APIs, we were able to further expand the permissions within the account to include unrestricted access to all resources of the service in the region, including full admin rights

The company added that the findings were uncovered using only AWS accounts owned by Orca Security, and that it did not access any information or data owned by other AWS customers during the investigation.

During the vulnerability research, researchers were able to use roles that the Glue service trusts in other AWS customers’ accounts (every account with access to Glue has at least one such role).

We were also able to query and modify AWS Glue service-related resources in the AWS region, including but not limited to Glue jobs, dev endpoints, workflows, crawlers, triggers, and other metadata.

The AWS Glue services team was able to reproduce and confirm the vulnerability within hours of receiving the Orca Security report, and partially fixed the issue globally by the next morning.

We also deployed a full mitigation for the Superglue vulnerability in just a few days, preventing potential attackers from accessing AWS Glue customers’ data.

Analysis of logs dating back to the launch of the service shows that the activity associated with this issue was only between accounts owned by researchers.

Other customer accounts were not affected. All actions taken by AWS Glue on your account will be recorded in a CloudTrail record that you can manage and view. – AWS

The AWS security team has also patched the second vulnerability discovered by Orca Security in the AWS CloudFormation service, named BreakingFormation.

AWSSupportServiceRolePolicy Informational Update

According to the researchers, this XXE (XML External Entity) flaw resulted in the disclosure of files and credentials for infrastructure services inside AWS.

“Our research team believes that given the data found on the host, including credentials and data pertaining to internal endpoints, an attacker could exploit this vulnerability to bypass tenant boundaries and gain privileged access to any AWS resource,” said Tzah Pahima of Orca Security. We believe that an attacker could exploit this vulnerability to bypass tenant boundaries and gain privileged access to any AWS resource.

AWS VP Colm MacCárthaigh denied the security firm’s claims, saying that the BreakingFormation bug could only have been used to access host-level credentials and that AWS CloudFormation hosts do not have access to all AWS account resources. The AWS CloudFormation host does not have access to all AWS account resources, and denied the security firm’s claims.

We are aware of the issue related to AWS Glue ETL and AWS CloudFormation and can confirm that AWS customers’ accounts and data are not affected.Orca Once we heard about this from Security, we took immediate action to mitigate it within hours and added additional controls to the service to prevent a recurrence.

Comments

タイトルとURLをコピーしました