These two major AWS security flaws could have left user accounts wide open

Amazon Web Services logo
(Image credit: Future / Mike Moore)

Amazon Web Services (AWS) has been forced to patch two major security vulnerabilities, which could have been used to steal sensitive data, reports have claimed.

The two vulnerabilities in Amazon’s cloud computing arm were discovered by cybersecurity researchers from Orca Security, and were dubbed Superglue and BreakingFormation.

Superglue exploits an issue in AWS Glue, allowing users to access data managed by other Glue users. AWS Glue is a service which customers use to store huge swathes of data. 

A fix within a day

"We were able to identify a feature in AWS Glue that could be exploited to obtain credentials to a role within the AWS service’s own account," Orca said, "which provided us full access to the internal service API. In combination with an internal misconfiguration in the Glue internal service API, we were able to further escalate privileges within the account to the point where we had unrestricted access to all resources for the service in the region, including full administrative privileges."

By taking advantage of the flaw, Orca’s researchers managed to do a number of potentially malicious things, such as assume roles in AWS customer accounts trusted by Glue; query and modify AWS Glue service-related resources in a specific region; discovered a way to access data managed by other Glue users. It’s important to note that Orca did not actually gain access to anyone else’s data. 

BreakingFormation leverages a vulnerability found in AWS CloudFormation, a tool that lets users “model, provision, and manage AWS and third-party resources by treating infrastructure as a code.”

According to Orca, this vulnerability could have been used to steal sensitive data from third parties.

Orca’s researchers tested the fixes (which allegedly took AWS roughly 25 hours to code) and found that the vulnerabilities were fully patched and no longer exploitable.

Via: PCMag

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.