A vulnerability in a library created by network virtualization firm Eltima — and used by a variety of vendors, including Amazon — has left more than a dozen cloud services vulnerable to a privilege escalation attack.
Research from security firm SentinelOne found that the vulnerabilities in Eltima's software development kit (SDK) for virtual networking — which is used by a variety of cloud-based virtualization services, including Amazon's WorkSpaces agent, its Nimble Studio AMI, and Eltima's USB Network Gate — could allow an attacker to execute code in the kernel through a buffer overflow to gain higher privileges.
The ability to elevate privileges to kernel or root would allow malicious software to turn off security products and gain access to sensitive information that would otherwise be protected, says J.A. Guerrero-Saade, a principal threat researcher at SentinelOne.
"It’s important to pay attention to these different privilege escalation vulnerabilities precisely because they allow run-of-the-mill threats to act unimpeded," he says. "When used properly, [such a] vulnerability can effectively alter security policies and disable the very security products that customers depend on to be protected."
The impact of a single SDK on more than a dozen services shows the problems posed by supply chain risks, SentinelOne stated in its advisory. Vulnerabilities in a common SDK are being inherited by software products that rely on it, an event that has become increasingly common. While open source projects are commonly the source of such code — and subsequent vulnerabilities — the projects have become better at patching issues, reducing the average time to update to 28 days in 2021, down from 371 days a decade ago.
Yet application programming interfaces (APIs) — a common way to allow developers to use code as a service — also have become a source of supply chain vulnerabilities. Last month, a researcher presented methods for bypassing Amazon's API Gateway and using the service to conduct cache-poisoning attacks.
The latest vulnerabilities found by SentinelOne are not in the various services themselves but in the USB over Ethernet functionality, which is included in the Eltima SDK. The security flaws not only affect client systems, such as laptops and desktops running Amazon WorkSpaces software, but also cloud-based machine instances running that are using services, such as Amazon Nimble Studio AMI.
SentinelOne confirmed the issues in Amazon Web Services, NoMachine, and Accops, but believes that other cloud vendors are likely affected as well.
"Vulnerabilities in third-party code have the potential to put huge numbers of products, systems, and ultimately, end users at risk, as we’ve noted before," SentinelOne stated in its advisory. "The outsized effect of vulnerable dependency code is magnified even further when it appears in services offered by cloud providers. We urge all organizations relying on the affected services to review the recommendations above and take appropriate action."
The vulnerabilities occur because the code does not check calls to validate, probe, lock, or map the buffer, according to SentinelOne. While SentinelOne used an overflow to execute code, double fetches and arbitrary pointer dereferences are also possible, the company said.
The vulnerabilities affects software from Amazon, Accops, Eltima, Amzetta, and NoMachine. SentinelOne originally disclosed the issues to the companies in May, June, and July. Amazon released patched versions of its software in July, and other companies released updated software in September and October.
"We have listed different software and cloud products that we are aware of that rely on the Eltima SDK and the respective vendors have done their best to mitigate the issue," says SentinelOne's Guerrero-Saade. "We encourage enterprise defenders and end users to make sure the relevant products are patched and up-to-date. Furthermore, software developers that rely on the Eltima SDK for their solutions need to make sure that they’re using the latest version and to provide updates downstream as needed."
Companies should urge their cloud virtualization service provider to check whether they use the Eltima USB over Ethernet library, even if the company is not listed among the affected vendors. Amazon Web Services customers can check their maintenance settings, while Accops and NoMachine both have released advisories.
So far, there has been no evidence that the vulnerabilities have been exploited in the wild, SentinelOne stated in its advisory.