Recently, Amazon's cloud service was exposed to be patching the so-called "Superglue" vulnerability. There is also a bug called AWS CloudFormation, which attackers can use to touch sensitive data from other users. The Orca security research team was the first to disclose flaws in AWS tools, and thankfully both bugs were fully patched.
(From Orca Security)
Let's start with the Superglue vulnerability, which gives users access to information managed by other AWS Glue users.
AWS officially advertises Glue as a serverless data integration service designed to easily discover, prepare, and combine data for analytics, machine learning, and application development.
In fact, Amazon's services are so large that Glue users can store up to a million objects for free.
Orca points out that we were able to identify a feature in AWS Glue that can be used to obtain credentials for a role in an official AWS service account, giving us full access to internal service APIs.
Combined with internal misconfiguration and the Glue Internal Access API, we were able to take permissions within the account to an unrestricted level, including full administrative access to all resources in an area.
There is at least one AWS customer account trusted by the Glue service.
Once successful, the attacker can query and modify relevant resources in the zone, including but not limited to metadata such as Glue jobs, development endpoints, workflows, crawlers, and triggers.
Orca Confirmed - It has confirmed its ability to control numerous accounts through this vulnerability to access information managed by other AWS Glue users.
Fortunately, shortly after the vulnerability was disclosed, Amazon responded within hours and implemented partial mitigation the next day, until it completely blocked the problem a few days later.
The second vulnerability affected AWS CloudFormation, whereby by treating infrastructure as code, users can model, provision, and manage first- and third-party resources.
This "infrastructure as code" paradigm has become increasingly popular with customers in recent years. When moving to the cloud, the ease of configuration and maintenance is also outstanding.
However, a second bug, called BreakingFormation, can be used to leak confidential files found on vulnerable servers.
Server-side requests (SSRF) are also vulnerable to unauthorized disclosure of internal AWS infrastructure service credentials — thankfully, the vulnerability was completely remediated within six days of disclosure to AWS.
Finally, Bleeping Computer shared more details about the BreakingFormation vulnerability that AWS Vice President Colm MacCárthaigh disclosed on Twitter, and acknowledged at the outset that Orca had access to all AWS account resources.
Yoav Alon, Orca's chief technology officer, then responded that CloudFormation's exposure was not as extensive as initially expected.
We immediately informed AWS of the issue, which quickly took action to address the issue.
The AWS security team wrote the first fix in less than 25 hours and implemented it to all AWS Regions within 6 days.
Orca security researchers helped test the fix to ensure that the issue was properly addressed and that we were able to verify that it would not be exploited again.