The first flaw, which Orca dubbed Superglue, was a problem in AWS Glue that users could exploit to gain access to information managed by other AWS Glue users.
Amazon Web Services (AWS) describes Glue as “a serverless data integration service that makes it easy to discover, prepare, and combine data for analytics, machine learning, and application development.” It’s fair to say that AWS customers use it to manage large amounts of data. So large, in fact, that AWS lets Glue users store up to 1 million objects for free.
“We were able to identify a feature in AWS Glue that could be exploited to obtain credentials to a role within the AWS service’s own account,” Orca says, “which provided us full access to the internal service API. In combination with an internal misconfiguration in the Glue internal service API, we were able to further escalate privileges within the account to the point where we had unrestricted access to all resources for the service in the region, including full administrative privileges.”
The company says that it was able to exploit this flaw to:
Assume roles in AWS customer accounts that are trusted by the Glue service. In every account that uses Glue, there’s at least one role of this kind.
Query and modify AWS Glue service-related resources in a region. This includes but is not limited to metadata for: Glue jobs, dev endpoints, workflows, crawlers, and triggers.
Orca says it confirmed the ability to access information managed by other AWS Glue users by utilizing numerous accounts it controlled; the company didn’t gain access to anyone else’s data while it was researching this flaw. It also says that AWS responded to its disclosure within a few hours, had a partial mitigation the next day, and fully mitigated the issue “a few days later.”
The second flaw affected AWS CloudFormation, which AWS says “lets you model, provision, and manage AWS and third-party resources by treating infrastructure as code.” (This “infrastructure as code” paradigm has become increasingly popular among companies looking to make setting up and maintaining their networks and tools more convenient as they shift to the cloud.)
Orca called the second flaw BreakingFormation and says it “could have been used to leak sensitive files found on the vulnerable service machine and make server-side requests (SSRF) susceptible to the unauthorized disclosure of credentials of internal AWS infrastructure services.” It says the flaw was “completely mitigated within 6 days” of its disclosure to AWS.
Recommended by Our Editors
BleepingComputer notes that AWS VP Colm MacCárthaigh offered more information about the BreakingFormation flaw on Twitter. MacCárthaigh’s first tweet responded to a claim that the flaw showed Orca had “gained access to all AWS resources in all AWS accounts!” with the following:
Orca CTO Yoav Alon also tweeted that CloudFormation’s scope wasn’t as broad as the original tweet made it seem. MacCárthaigh followed up with a thread about Orca’s findings:
“We immediately reported the issue to AWS,” Orca says, “who acted quickly to fix it. The AWS security team coded a fix in less than 25 hours, and it reached all AWS regions within 6 days. Orca Security researchers helped test the fix to ensure that this vulnerability was correctly resolved, and we were able to verify that it could no longer be exploited.”
Like What You’re Reading?
Sign up for Security Watch newsletter for our top privacy and security stories delivered right to your inbox.