Connect with us

Hi, what are you looking for?


AWS fixes security flaws that exposed AWS customer data


AWS fixes security flaws that exposed AWS customer data

Amazon Web Services (AWS) has addressed an AWS Glue security issue that allowed attackers to access and alter data linked to other AWS customer accounts.

AWS Glue is a serverless cloud data integration service that helps discover, prepare, and combine data for app development, machine learning, and analytics.

The flaw stemmed from an exploitable AWS Glue feature and an internal service API misconfiguration that allowed Orca Security security researchers to escalate privileges to gain access to all service resources in the region.

“During our research, we were able to identify a feature in AWS Glue that could be exploited to obtain credentials to a role within the AWS service’s own account, which provided us full access to the internal service API,” explained Yanir Tsarimi, a Cloud Security Researcher at Orca Security.

“In combination with an internal misconfiguration in the Glue internal service API, we were able to further escalate privileges within the account to the point where we had unrestricted access to all resources for the service in the region, including full administrative privileges.”

The researchers added that their findings were uncovered using only Orca Security-owned AWS accounts and that they didn’t access information or data belonging to other AWS customers during their research.

attack flow

While investigating the vulnerability, the researchers assumed roles trusted by the Glue service in other AWS customers’ accounts (every account with Glue access has at least one such role).

Advertisement. Scroll to continue reading.

They were also able to query and alter AWS Glue service-related resources in an AWS region, including but not limited to metadata for Glue jobs, dev endpoints, workflows, crawlers, and triggers.

The AWS Glue service team reproduced and confirmed the flaw within hours after receiving Orca Security’s report and partially mitigated the issue globally by the following morning.

They deployed full mitigation for the Superglue vulnerability in just a few days, preventing potential attackers from accessing AWS Glue customers’ data.

AWS’ Security Team has also patched a second vulnerability found by Orca Security in the AWS CloudFormation service (dubbed BreakingFormation).

According to the researchers, this XXE (XML External Entity) flaw led to file and credential disclosure of internal AWS infrastructure services.

“Our research team believes, given the data found on the host (including credentials and data involving internal endpoints), that an attacker could abuse this vulnerability to bypass tenant boundaries, giving them privileged access to any resource in AWS,” Orca Security’s Tzah Pahima added.

However, AWS VP Colm MacCárthaigh denied the security firm’s claims, saying that the BreakingFormation bug could have only been used to access host-level credentials and that AWS CloudFormation hosts don’t have access to resources in all AWS accounts.

Source link

Advertisement. Scroll to continue reading.

Click to comment

Leave a Reply


Online Business Success

By Jon Clark, managing partner at Moving Traffic Media, a New York digital agency offering SEO, PPC, and Amazon marketing services. getty We know...

Loan And Finance

Watch now: How is the distribution landscape changing in insurance? Johnson said that his company’s interaction with independent agencies was a major driver in...

Loan And Finance

Tencent Music Entertainment Group (TME) has partnered with Dolby Laboratories to make its Dolby Atmos service available on QQ Music, one of China’s largest...

Loan And Finance

In February, Keatly Haldeman announced that he was exiting his role as CEO of Riptide Music to launch a Web3 music sync licensing platform,...

Online Business Success

Oil pump jacks are seen at the Vaca Muerta shale oil and gas deposit in the Patagonian province of Neuquen, Argentina, on January 21,...

Online Business Success

Chris Clark is CEO of GBG, the experts in digital identity. getty “Trust has to be your highest value in your company, and if...


You May Also Like


Introductions get a lot of attention. I’ve explored the topic of how to write them even though as a reader, I always skip them....

Online Business Success

The internet is now our nervous system. We are constantly streaming and buying and watching and liking, our brains locked into the global information...

SEO Guide

There are all kinds of pictures of the world on the internet, but to find one of these specific pictures that you want to...

Online Business Success

You can think of link building in many ways. I like to call it tedious, painful, and a test of patience. It’s also necessary...