Cybersecurity researchers have identified multiple critical vulnerabilities in Amazon Web Services (AWS) products that could lead to severe consequences if exploited successfully.
“The vulnerabilities discovered range from remote code execution (RCE) to full-service user takeover, manipulation of AI modules, exposure of sensitive data, data exfiltration, and denial of service,” said cloud security firm Aqua in a detailed report shared with The Hacker News.
Amazon addressed these vulnerabilities from March to June after being informed of them through responsible disclosure in February 2024. The findings were presented at Black Hat USA 2024.
An attack vector known as Shadow Resource, central to the issue called Bucket Monopoly, automatically creates an AWS S3 bucket when using services like CloudFormation, Glue, EMR, SageMaker, ServiceCatalog, and CodeStar.
Attackers can exploit this behavior by setting up buckets in unused AWS regions and gaining access to the bucket’s contents when a legitimate AWS customer uses one of the vulnerable services.
The attacker-controlled S3 bucket, depending on the permissions granted, can be used to trigger a DoS condition, execute code, steal or manipulate data, and gain complete control over the victim’s account without detection.
Attackers using Bucket Monopoly can create unclaimed buckets in all available regions and store malicious code in them to execute when a vulnerable service is enabled for the first time in a new region by the targeted organization, potentially creating an admin user that grants control to the attackers.
However, the attacker must wait for the victim to deploy a new CloudFormation stack in a new region for the attack to be successful. Modifying the CloudFormation template file in the S3 bucket to create a rogue admin user also requires permission to manage IAM roles in the victim account.
Aqua also identified five other AWS services susceptible to Shadow Resource attacks due to their naming conventions for S3 buckets, potentially allowing threat actors to escalate privileges and perform malicious actions.
It is advised to generate a unique hash or random identifier for each region and account while creating S3 buckets to protect against premature claiming of buckets by attackers.
AWS account IDs, treated as secret, could also be used for similar attacks, contrary to Amazon’s documentation.
“This attack vector affects not only AWS services but also many open-source projects used by organizations to deploy resources in their AWS environments,” Aqua stated.
Using predictable or static identifiers in the bucket name is discouraged, and instead, a unique hash or random identifier for each region and account should be used to enhance security.