According to new research, an attacker may have exploited a vulnerability related to Amazon Web Service’s traffic routing service, known as Application Load Balancer, to bypass access controls and compromise web applications. The flaw stems from a client implementation issue, meaning it is not caused by a software bug. Instead, the exposure occurred through the way AWS users configure authentication with Application Load Balancer.
Implementation issues are a crucial component of cloud security, much like the contents of an armored safe are not protected if the door is left ajar. Researchers at security firm Miggo found which, depending on how Application Load Balancer authentication is configured, an attacker could potentially manipulate its transfer to a third-party corporate authentication service to access the target web application and view or exfiltrate data.
Researchers say that after analyzing publicly accessible web applications, they have identified more than 15,000 that appear to have vulnerable configurations. However, AWS disputes this estimate, saying that “a small fraction of one percent of AWS customers have applications potentially misconfigured in this way – significantly fewer than the researchers estimate.” The company also says it has contacted every customer on its shortlist to recommend a more secure implementation. However, AWS has no access to or visibility into its customers’ cloud environments, so any exact number is just an estimate.
Miggo researchers say they encountered the issue while working with a customer. “They discovered it in real production environments,” says Miggo CEO Daniel Shechter. “We observed strange behavior on one customer’s system: it seemed like the validation process was only partially performed, as if something was missing. This really shows how deep the interdependencies between customer and vendor are.”
To exploit the deployment issue, an attacker would set up an AWS account and an Application Load Balancer, and then sign their own authentication token as usual. The attacker would then make configuration changes to make it appear as if their target’s authentication service issued the token. The attacker would then have AWS sign the token as if it legitimately originated on the target’s system and use it to access the target application. The attack must specifically target a misconfigured application that is either publicly accessible or one that the attacker already has access to, but that allows them to escalate their privileges on the system.
Amazon Web Services says the company does not consider token forgery a vulnerability in Application Load Balancer because it is essentially an expected result of choosing to configure authentication in a particular way. But after Miggo researchers first disclosed their findings to AWS in early April, the company Made two changes to the documentation aimed at updating their implementation recommendations for Application Load Balancer authentication. One, dated May 1, included guidance for add validation before the Application Load Balancer signs tokens. And on July 19, the company also added an explicit recommendation that users configure their systems to receive traffic only from their own Application Load Balancer. using a feature called “security groups.”
