According to sources, Amazon Web Services (AWS) was ordered to fix two critical security flaws that might have been exploited to steal sensitive data.
Orca Security cybersecurity experts found the two vulnerabilities in Amazon’s cloud computing arm, called Superglue and BreakingFormation.
Superglue takes advantage of a flaw in AWS Glue to enable users to access data maintained by other Glue users. AWS Glue is a service that clients use to store massive amounts of data.
A solution inside a day
“We were able to find a feature in AWS Glue that could be used to get credentials to a position inside the AWS service’s own account, which gave us complete access to the internal service API,” Orca said. We were able to escalate privileges inside the account to the point where we had uncontrolled access to all resources for the service in the region, including full administrator rights, thanks to an internal misconfiguration in the Glue internal service API.”
Orca’s researchers exploited the flaw to perform a number of potentially malicious actions, including assuming roles in AWS customer accounts trusted by Glue, querying and modifying AWS Glue service-related resources in a specific region, and discovering a way to access data managed by other Glue users. It’s worth noting that Orca did not obtain access to anybody else’s data.
BreakingFormation takes use of a flaw discovered in AWS CloudFormation, a service that allows users to “model, deploy, and manage AWS and third-party resources by treating infrastructure as code.”
This vulnerability, according to Orca, may have been used to steal sensitive data from third parties.
Orca’s researchers examined the solutions (which supposedly took AWS around 25 hours to develop) and discovered that the vulnerabilities had been properly fixed and were no longer exploitable.