Summarize

Simplifying... Inshort

A critical flaw in Amazon Web Services (AWS) could expose thousands of web apps to potential attacks, allowing unauthorized access to data.
AWS has responded by suggesting more secure configurations and updating their guidance, but it's up to the users to implement these changes due to AWS's shared responsibility model.
The exact number of vulnerable apps remains uncertain, with AWS and researchers offering differing estimates.

Was a long read? Making it simpler...

Next Article

AWS Application Load Balancer vulnerability discovered

Critical AWS flaw exposes thousands of web apps to attack

By Mudit Dube

Aug 21, 2024

02:48 pm

What's the story

A recently discovered vulnerability in Amazon Web Services's (AWS) Application Load Balancer, a traffic-routing service, could potentially expose thousands of web applications to security risks. The flaw is not due to a software bug but rather an issue with customer implementation. This means that the risk arises from how AWS users configure authentication with the Application Load Balancer, as revealed by cybersecurity firm Miggo.

Exploitation process

How the vulnerability works

The vulnerability could allow an attacker to manipulate the handoff of the Application Load Balancer to a third-party corporate authentication service, thereby gaining unauthorized access to web applications and potentially viewing or extracting data. To exploit this flaw, an attacker would need to create an AWS account and an Application Load Balancer. They would then sign their own authentication token before making configuration changes that make it appear as if their target's authentication service issued the token.

Impact assessment

Over 15,000 web apps potentially at risk

Miggo's research indicates that over 15,000 publicly accessible web applications may have vulnerable configurations due to this flaw. However, AWS disputes these figures, stating that "a small fraction of a percent of AWS customers have applications potentially misconfigured in this way," which is significantly less than Miggo's estimate. The exact number remains uncertain as AWS does not have access or visibility into its clients' cloud environments.

Mitigation measures

AWS's response and recommendations

In response to the vulnerability disclosure, AWS has contacted customers on to suggest a more secure implementation. The company does not view token forging as a vulnerability in Application Load Balancer, but rather an expected outcome of choosing to configure authentication in a particular way. However, after Miggo disclosed their findings, AWS made two documentation changes aimed at updating their implementation recommendations for Application Load Balancer authentication.

Security updates

AWS's updated guidance for secure implementation

The first update from AWS, dated May 1, included guidance to add validation before Application Load Balancer will sign tokens. On July 19, the company also added an explicit recommendation that users set their systems to receive traffic from only their own Application Load Balancer using a feature called "security groups." These changes effectively address the attack path proposed by Miggo researchers but require AWS users with vulnerable configurations to implement them.

User responsibility

AWS's shared responsibility model

The fixes proposed by AWS are not like a software patch that a developer can push out to all users. Instead, they involve changing how AWS customers have set up their own systems. This falls under the Shared Responsibility Model, where such situations often sit in the gray area between what a cloud platform provider should address for its customers and what users need to manage themselves.