LAS VEGAS — BLACK HAT USA 2024 — AWS recently patched potentially critical vulnerabilities, including flaws that could have been exploited to take over accounts, according to cloud security firm Aqua Security.
Details of the vulnerabilities were disclosed by Aqua Security on Wednesday at the Black Hat conference, and a blog post with technical details will be made available on Friday.
“AWS is aware of this research. We can confirm that we have fixed this issue, all services are operating as expected, and no customer action is required,” an AWS spokesperson told SecurityWeek.
The security holes could have been exploited for arbitrary code execution and under certain conditions they could have allowed an attacker to gain control of AWS accounts, Aqua Security said.
The flaws could have also led to the exposure of sensitive data, denial-of-service (DoS) attacks, data exfiltration, and AI model manipulation.
The vulnerabilities were found in AWS services such as CloudFormation, Glue, EMR, SageMaker, ServiceCatalog and CodeStar.
When creating these services for the first time in a new region, an S3 bucket with a specific name is automatically created. The name consists of the name of the service of the AWS account ID and the region’s name, which made the name of the bucket predictable, the researchers said.
Then, using a method named ‘Bucket Monopoly’, attackers could have created the buckets in advance in all available regions to perform what the researchers described as a ‘land grab’.
They could then store malicious code in the bucket and it would get executed when the targeted organization enabled the service in a new region for the first time. The executed code could have been used to create an admin user, enabling the attackers to gain elevated privileges.
“Because S3 bucket names are unique across all of AWS, if you capture a bucket, it’s yours and no one else can claim that name,” said Aqua researcher Ofek Itach. “We demonstrated how S3 can become a ‘shadow resource,’ and how easily attackers can discover or guess it and exploit it.”
At Black Hat, Aqua Security researchers also announced the release of an open source tool, and presented a method for determining whether accounts were vulnerable to this attack vector in the past.
Related: AWS Deploying ‘Mithra’ Neural Network to Predict and Block Malicious Domains
Related: Vulnerability Allowed Takeover of AWS Apache Airflow Service
Related: Wiz Says 62% of AWS Environments Exposed to Zenbleed Exploitation
