Amazon Web Services has closed two vulnerabilities in its core services, one of which could have allowed any user to access and take control of any company's infrastructure, cloud security firm Orca Security said in an analysis published on Jan. 13.
While the vulnerabilities are now fixed, the attack chain that involves compromising a core service, escalating privileges, and using that privilege to attack other users is not limited to Amazon. This method affects many other cloud vendors, says Yoav Alon, chief technology officer at Orca Security. At the heart of the problem is a lack of isolation between services and too little granularity in the permissions of different services and users, he says.
The company has already reported similar issues to other cloud services, but Alon would not give specifics about those vulnerabilities until the company's disclosure process is complete.
"We believe that these are the next big wave of critical vulnerabilities because we moved trust from our data centers to cloud services — and good thing we did because they are better at security than most companies," he says. "Now an issue that is in your cloud provider affects you and you may not even know it."
The most significant of the two vulnerabilities occurred in AWS Glue, a serverless integration service that allows AWS users to manage, clean, and transform data, and makes the datastore available to the user's other services. Using this flaw, attackers could compromise the service and become an administrator — and because the Glue service is trusted, they could use their role to access other users' environments.
The exploit allowed Orca's researchers to "escalate privileges within the account to the point where we had unrestricted access to all resources for the service in the region, including full administrative privileges," the company stated in its advisory.
Orca's researchers could assume roles in other AWS customers' accounts that have a trusted relationship with the Glue service. Orca maintains that every account that uses the Glue service has at least one role that trusts the Glue service.
A second vulnerability in the CloudFormation (CF) service, which allows users to provision resources and cloud assets, allowed the researchers to compromise a CF server and run as an AWS infrastructure service. The vulnerability, an XML External Entity (XXE) issue, could likely have allowed attacks to pierce through the protections isolating different AWS users, Orca Security stated in a second advisory.
"We are aware of an issue related to AWS Glue ETL and AWS CloudFormation and can confirm that no AWS customer accounts or data were affected," an Amazon Web Services representative said in a statement. "Upon learning of this matter from Orca Security, we took immediate action to mitigate it within hours and have added additional controls to the services to prevent any recurrence."
Cloud providers should work to improve the isolation of their services to prevent attackers from using vulnerabilities in a core service to compromise the security model of the overall cloud, Orca's Alon says. A similar issue affected Azure in August 2021, when researchers at cloud security firm Wiz.io found a flaw in the way Microsoft integrated Jupyter Notebooks, a data-science feature, and its Cosmo DB database-as-a-service. By using Jupyter Notebooks, attackers could access the Cosmo DB instances of other users.
The AWS vulnerabilities underscore the benefits and drawbacks of the cloud model. Security issues affecting cloud providers often put every customer at risk, and there is little most customers can do to protect their data and environments. Compare that to widespread software issues, such as the Log4j vulnerability: Security and IT teams can patch the issue, keep watch for attacks, and put in workarounds.
Still, eliminating the Log4j issue remains a problem because different companies patch the issue at different rates. Orca found that three-quarters of its customers were still vulnerable to the Log4j vulnerabilities two weeks after the issue was disclosed. Amazon, on the other hand, patched the Glue flaw discovered by Orca within 48 hours and the CloudFormation problem within six days, according to the security firm.
"Cloud providers do a tremendous job of security, but there are still issues," says Alon. "If they compartmentalize better and create a better permission system in their service, it would prevent a lot of these issues. They also need to segment their networks better and have a better security model if there is a breach in their service."
Orca Security discovered the issues in September and October. They used a dummy account to test the vulnerabilities, preventing researchers from exposing the data of other AWS customers. The vulnerabilities were fixed by Amazon, and the patches were tested by Orca to verify the fixes.