Cybersecurity firm Tenable on Thursday disclosed the details of a one-click vulnerability that could have been exploited to take complete control of user accounts on an AWS service.
The vulnerability, named FlowFixation by Tenable, has been patched by AWS and it can no longer be exploited, but the security company pointed out that its research uncovered a wider problem that may again emerge in the future.
The FlowFixation vulnerability is related to the Apache Airflow open source workflow management platform. The flaw affected AWS’s Managed Workflows Apache Airflow (MWAA) service, which enables users to build, schedule and monitor workflows in a managed Apache Airflow without having to worry about the underlying infrastructure.
Tenable pointed out that Apache Airflow is a very popular tool, with 12 million downloads per month. Twenty percent of the company’s customers use managed services for Airflow.
The FlowFixation vulnerability existed due to a session fixation issue in the MWAA web management panel and an AWS domain misconfiguration that led to cross-site scripting (XSS).
“By abusing the vulnerability, an attacker could have forced victims to use and authenticate the attacker’s known session. This manipulation could have enabled the attacker to later use the same, now-authenticated session to take over the victim’s web management panel,” Tenable explained.
A malicious actor could have exploited the FlowFixation flaw to take over the targeted user’s MWAA web management panel and leverage it to perform tasks such as reading connection strings, adding configurations, and triggering directed acyclic graphs, which could have led to remote code execution on the underlying instance or lateral movement to other services.
Tenable’s research also revealed a wider problem with same-site attacks related to shared-parent domains and the Public Suffix List (PSL), which is a list of TLDs with the respective registry’s policies on domain registrations.
Many cloud services offered by the same vendor share a parent domain. For instance, several AWS services use ‘amazonaws.com’.
“This sharing leads to a scenario in which non-related customers host their assets on subdomains of the ‘amazonaws.com’ shared parent domain. The problem is that some assets may also allow client-side code execution as a service,” Tenable explained.
“If we compare it to an on-prem environment, this scenario is like an XSS on a subdomain of a website you do not own. In an on-prem setting you would not normally allow users to run XSS on your subdomain, but in the cloud, allowing this is quite natural,” the security firm added. “For example, when creating an AWS S3 bucket, you can run client-side code by storing an HTML page in your bucket. The code will run in the context of the S3 bucket subdomain you were granted and also in the context of the shared parent domain, ‘amazonaws.com’.”
An analysis showed that shared-parent service domains not only on AWS but also Azure and Google Cloud were misconfigured and put their customers at risk of attacks. These risks include cookie tossing (this can lead to session fixation abuse and CSRF protection bypass) and same-site cookie protection bypass.
AWS and Microsoft took steps to mitigate the risk in response to Tenable’s report, but Google said it would not implement a fix after determining that it is not severe enough to be tracked as a security issue.
Tenable noted that adding the misconfigured domains to the PSL prevents exploitation of vulnerabilities like FlowFixation, as well as other types of flaws found in these services.
Related: Microsoft Cloud Vulnerability Led to Bing Search Hijacking, Exposure of Office 365 Data
Related: ‘Looney Tunables’ Glibc Vulnerability Exploited in Cloud Attacks
