Thousands of Apps Using AWS ALB Exposed to Attacks Due to Configuration Issue

Share This Post

As many as 15,000 apps that use AWS’s Application Load Balancer (ALB) for authentication could be vulnerable to attacks, according to application security company Miggo.

These attacks, dubbed ALBeast by Miggo, are possible due to what the company has described as a critical configuration issue, rather than an actual vulnerability in the AWS ALB solution. 

AWS ALB is a load balancer that routes traffic to EC2 instances, containers, IP addresses, and Lambda functions based on the content of the request.

AWS was informed about the potential risks in April and it has since updated its documentation and added new code to help customers prevent ALBeast attacks, Miggo said.

A Censys search reveals over 370,000 internet-exposed instances of AWS ALB. Miggo has determined that over 15,000 of them may be vulnerable due to a configuration issue. However, the company noted that even apps that are not exposed to the internet may be targeted by attackers who have network access. 

“First, the attacker creates their own ALB instance with authentication configured in their account. The attacker then uses this ALB to sign a token they fully control. Next, the attacker alters the ALB configuration and sets the issuer field to the victim’s expected issuer,” Miggo explained.

“AWS subsequently signs the attacker’s forged token with the victim’s issuer. Finally, the attacker uses this minted token against the victim’s application, bypassing both authentication and authorization,” it added.

According to Miggo, an ALBeast attack can enable threat actors to gain unauthorized access to business resources and exfiltrate data. 

Advertisement. Scroll to continue reading.

Users can prevent attacks by ensuring that apps using ALB authentication check the token signer, and by ensuring that only traffic from their ALB is accepted. 

Related: Cloud Users Warned of Data Exposure Risk From Command-Line Tools

Related: Azure Health Bot Service Vulnerabilities Possibly Exposed Sensitive Data

Related: Vulnerability Allowed Takeover of AWS Apache Airflow Service

Related: SAP AI Core Vulnerabilities Allowed Service Takeover, Customer Data Access

This post was originally published on this site

More Articles
Article

Navigating SEC Regulations In Cybersecurity And Incident Response

Free video resource for cybersecurity professionals. As 2024 approaches, we all know how vital it is to keep up to date with regulatory changes that affect our work. We get it – it’s a lot to juggle, especially when you’re in the trenches working on an investigation, handling, and responding to incidents.

Report

Harassment or bullying behavior
Contains mature or sensitive content
Contains misleading or false information
Contains abusive or derogatory content
Contains spam, fake content or potential malware

Block Member?

Please confirm you want to block this member.

You will no longer be able to:

  • See blocked member's posts
  • Mention this member in posts
  • Invite this member to groups
  • Message this member
  • Add this member as a connection

Please note: This action will also remove this member from your connections and send a report to the site admin. Please allow a few minutes for this process to complete.

Report

You have already reported this .