Aqua Security finds critical vulnerabilities in six AWS services
Aqua Security's cyber research team, Nautilus, has identified critical vulnerabilities in six Amazon Web Services (AWS) offerings. These vulnerabilities pose significant risks, including remote code execution (RCE), full-service user takeover, manipulation of AI modules, exposing sensitive data, data exfiltration, and denial of service.
Aqua Security reported that the vulnerabilities could allow unauthorised users to gain access to AWS accounts through malicious code embedded in Amazon Simple Storage Service (S3) buckets. AWS promptly addressed and fixed these vulnerabilities.
Yakir Kadkoda, Lead Researcher at Aqua Security, remarked, "When creating a new service in AWS, there are internal dependencies and complexities that cloud users and developers might not be aware of. We found that under some conditions, an attacker could exploit gaps to gain access to and even take over AWS accounts."
The vulnerabilities were discovered in AWS services CloudFormation, Glue, EMR, SageMaker, ServiceCatalog, and CodeStar. According to the report, when any of these services is created in a new region for the first time, an S3 bucket is automatically generated with a specific name pattern. This name comprises the name of the service, the AWS account ID, and the region's name.
Aqua Nautilus researchers determined that attackers could anticipate or discover these bucket names. Using a strategy termed "Bucket Monopoly," attackers could pre-create buckets with malicious code in all available regions. As a result, when the target organisation enables the service in a new region, the malicious code executes unknowingly, potentially leading to the creation of an administrative user, granting attackers control.
Ofek Itach, a security researcher at Aqua Nautilus, explained, "Because S3 bucket names are unique across all of AWS, if you capture a bucket, it's yours and no one else can claim that name. We demonstrated how S3 can become a shadow resource and how easily attackers can discover or guess it and exploit it."
Kadkoda further added, "This finding is a significant part of Nautilus and Aqua's mission. Our aim is to improve the security of the cloud and enable organisations to use it safely.
"Our responsible disclosure of findings to the AWS security team, and their professional response, prevented what could have been a massive initial access point for attackers, protecting the cloud environments of many organisations."
Aqua Security specialises in containerised cloud native applications from development to production. The company's full lifecycle solution prevents attacks by enforcing pre-deployment hygiene and mitigates attacks in real time in production, reducing mean time to repair and overall business risk. The Aqua Platform, a Cloud Native Application Protection Platform (CNAPP), integrates security from Code to Cloud, combining the power of agent and agentless technology into a single solution.