According to new research, a vulnerability related to Amazon Web Service’s traffic routing service called Application Load Balancer could have been exploited by attackers to bypass access controls and compromise web applications. The vulnerability stems from a customer implementation issue, meaning it’s not caused by a software bug. Instead, the vulnerability is introduced through the way AWS users set up authentication with the Application Load Balancer.
Deployment issues are a critical component of cloud security in the same way that the contents of an armored safe are unprotected if the door is left ajar. Researchers from security firm Miggo establish that, depending on how the Application Load Balancer authentication is set up, an attacker could manipulate the handoff to a third-party enterprise authentication service to access the target web application and view or steal data.
The researchers said that when they looked at publicly accessible web applications, they identified more than 15,000 applications with vulnerable configurations. However, AWS disputed that estimate, saying that “only a fraction of one percent of AWS customers have applications potentially misconfigured in this way, significantly less than the researchers estimated.” The company also said that it had contacted each of the customers on its shortlist to recommend a more secure implementation. However, AWS does not have access or visibility into its customers’ cloud environments, so any exact number is just an estimate.
Miggo researchers said they encountered this issue while working with a customer. It was “discovered in a real production environment,” said Miggo CEO Daniel Shechter. “We observed a strange behavior in the customer system—the authentication process seemed to be only partially implemented, as if something was missing. This really shows how deeply interdependent the customer and the provider are.”
To exploit the deployment issue, an attacker would set up an AWS account and an Application Load Balancer, then sign their own authentication token as usual. Next, the attacker would make configuration changes to make it appear that the target’s authentication service issued the token. The attacker would then ask AWS to sign the token as if it came from a legitimate source on the target’s system and use it to access the target application. The attack would specifically target a misconfigured application that is either publicly accessible or that the attacker already has access to, but would allow them to escalate their privileges within the system.
Amazon Web Services said the company did not consider token spoofing a vulnerability in Application Load Balancer because it was essentially an expected result of choosing to configure authentication in a particular way. But after the Miggo researchers first disclosed their findings to AWS in early April, the company made two changes to the document aiming to update their deployment recommendations for Application Load Balancer authentication. One, as of May 1, includes guidance for add authentication before the Application Load Balancer signs the token. And on July 19, the company also added an explicit recommendation that users set up their systems to only receive traffic from their own Application Load Balancer. use a feature called “security groups”.
