Security News > 2021 > December > AWS Among 12 Cloud Services Affected by Flaws in Eltima SDK
Researchers have found a number of high-security vulnerabilities in a library created by network virtualization firm Eltima, that leave about a dozen cloud services used by millions of users worldwide open to privilege-escalation attacks.
The flaws are in the USB Over Ethernet function of the Eltima SDK, not in the cloud services themselves, but because of code-sharing between the server side and the end user apps, they affect both clients - such as laptops and desktops running Amazon WorkSpaces software - and cloud-based machine instances that rely on services such as Amazon Nimble Studio AMI, that run in the Amazon cloud.
Other cloud services using the same libraries are probably affected as well, according to SentinelOne's advisory: "While we have confirmed these vulnerabilities for AWS, NoMachine and Accops, our testing was limited in scope to these vendors, and we believe it is highly likely other cloud providers using the same libraries would be vulnerable," the firm said.
The security holes, which are also found in Eltima SDK-derived products and proprietary variants, have been "Unwittingly inherited by cloud customers," Dekel wrote.
SentinelOne pointed out that vulnerabilities in third-party code such as the ones found in Eltima's SDK could spread far and wide, potentially endangering "Huge" numbers of products, systems and, ultimately, users: everything and everybody downstream in the cloud supply chain.
Recent instances of the code supply-chain vulnerabilities have included four Microsoft zero-days in the Azure cloud platform's Open Management Infrastructure - a software that many don't even realize is embedded in a host of services - that showed up in September.
News URL
https://threatpost.com/aws-cloud-services-flaws-eltima/176852/