AWS patches worrying security flaw that could have led to AWS Apache Airflow hijacking

AWS logo
(Image credit: AWS)

Amazon Web Services (AWS) Managed Workflows for Apache Airflow (MWAA) carried a flaw which allowed threat actors to hijack people’s sessions and execute malicious code on underlying instances, remotely, experts have warned.

Cybersecurity researchers Tenable discovered the vulnerability and dubbed it FlowFixation, explaining the vulnerability stems from both session fixation on the AWS MWAA web management platform, and a misconfiguration in the AWS domain. These two open the doors for a cross-site scripting (XSS) attack. 

"Upon taking over the victim's account, the attacker could have performed tasks such as reading connection strings, adding configurations and triggering directed acyclic graphs (DAGS)," Tenable’s senior security researcher, Liv Matan, explained. "Under certain circumstances such actions can result in RCE (remote code execution) on the instance that underlies the MWAA, and in lateral movement to other services."

Highlighting a broader issue with domain architecture

The Hacker News describes session fixation as a web attack technique that happens “when a user is authenticated to a service without invalidating any existing session identifiers”. This allows the attacker to force (or fixate) a known session identifier on a user so when they do authenticate, the attacker is granted access to the session. 

"FlowFixation highlights a broader issue with the current state of cloud providers' domain architecture and management as it relates to the Public Suffix List (PSL) and shared-parent domains: same-site attacks," Matan said. The misconfiguration also affects Azure and Google Cloud, they added. 

After discovering the flaw, Tenable notified Amazon, which subsequently issued a patch. Both AWS and Azure added the misconfigured domains to PSL (Public Suffix List). For Google, the issue isn’t dangerous enough to warrant a patch, The Hacker News reported. 

The full technical analysis of the vulnerability can be found on Tenable’s blog here.

In a statement, AWS spokesperson Patrick Neighorn told TechRadar Pro, “AWS deployed a fix for these findings in September 2023, so customers running the current version of Amazon Managed Workflows for Apache Airflow (MWAA) are not impacted. We informed affected customers last year and encouraged them to update their environments through the AWS Console, API, or the AWS Command Line Interface. Before we resolved the matter, taking advantage of the findings was a complex process that would have required social engineering.”  

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.