A vulnerability in Amazon Web Service’s traffic routing service known as Application Load Balancer could have been exploited by an attacker to bypass access controls and compromise web applications, new research shows. The flaw is due to a customer implementation issue, meaning it is not caused by a software bug. Instead, the vulnerability was caused by the way AWS users set up authentication with Application Load Balancer.
Implementation issues are a critical part of cloud security, just as the contents of an armored safe are not protected if the door is left ajar. Researchers at security firm Miggo found that depending on how Application Load Balancer authentication is set up, an attacker could potentially tamper with the handoff to a third-party authentication service to access the target web application and view or exfiltrate data.
The researchers say that when examining publicly accessible web applications, they identified more than 15,000 that appear to have vulnerable configurations. However, AWS disputes this estimate, saying that “a small fraction of a percent of AWS customers may have applications misconfigured in this way, significantly less than the researchers’ estimate.” The company also says it has contacted each customer on its shorter list to recommend a more secure implementation. However, AWS does not have access or visibility into its customers’ cloud environments, so any exact number is only an estimate.
Miggo researchers say they encountered the problem while working with a customer. It “was discovered in real production environments,” says Miggo CEO Daniel Shechter. “We observed strange behavior in a customer system – the validation process seemed to be only partially performed, as if something was missing. This really shows how deep the interdependencies between customer and vendor go.”
To exploit the implementation issue, an attacker would set up an AWS account and an Application Load Balancer, then sign their own authentication token as usual. Next, the attacker would make configuration changes to make it appear as though their target’s authentication service issued the token. The attacker would then have AWS sign the token as if it legitimately came from the target’s system and use it to access the target application. The attack must specifically target a misconfigured application that is publicly accessible or that the attacker already has access to but that would allow them to escalate their privileges in the system.
Amazon Web Services says the company does not consider token forgery to be a vulnerability in Application Load Balancer, as it is essentially an expected result of a particular configuration of authentication. But after Miggo researchers first shared their findings with AWS in early April, the company made two changes to documentation aimed at updating its implementation recommendations for Application Load Balancer authentication. One of them, effective May 1, included guidance to add validation before Application Load Balancer signs tokens. And on July 19, the company also added an explicit recommendation that users set up their systems to only receive traffic from their own Application Load Balancer using a feature called “security groups.”
