Severe AWS flaws reveal RCE, data theft, and full-service breaches

August 10, 2024
1 min read




Article Summary

TLDR:

  • Multiple critical flaws in AWS offerings discovered by cybersecurity researchers
  • Attack vector called Shadow Resource allows for RCE, data theft, and full-service takeovers

Article Summary:

Cybersecurity researchers have uncovered severe vulnerabilities in Amazon Web Services (AWS) that could lead to remote code execution (RCE), data theft, and full-service takeovers. One of the key issues identified, dubbed Bucket Monopoly, involves an attack vector known as Shadow Resource, where attackers can exploit the automatic creation of unique AWS S3 buckets to gain access to sensitive data and escalate privileges. By creating unclaimed buckets in advance and waiting for legitimate AWS customers to enable vulnerable services, threat actors can execute malicious code, manipulate data, and potentially gain control over victim accounts without their knowledge.

Aqua, the cloud security firm behind the research, presented these findings at Black Hat USA 2024 after responsibly disclosing the vulnerabilities to Amazon in February 2024. The flaws were addressed by Amazon over several months from March to June. The attack vector not only affects AWS services but also open-source projects that automatically create S3 buckets, making organizations vulnerable to similar threats. To mitigate these risks, Aqua recommends generating unique hashes or random identifiers for S3 bucket names to prevent attackers from claiming buckets prematurely.

In addition to Bucket Monopoly, Aqua identified similar naming methodologies in other AWS services like Glue, EMR, SageMaker, CodeStar, and ServiceCatalog, leaving them exposed to Shadow Resource attacks. By leveraging this naming convention, threat actors can escalate privileges, perform malicious actions, and potentially execute arbitrary code. The firm also highlighted the importance of considering AWS account IDs as secrets to prevent similar attacks and recommended implementing unique identifiers for bucket names in all regions to enhance security.


Latest from Blog