Security News > 2022 > January > Orca Security tells AWS fail tale with a happy ending

On Thursday, Orca Security published details about Superglue and BreakingFormation, vulnerabilities in AWS Glue and AWS Cloud Formation that allowed attackers to access data for other customers and to access files and make server-side requests to internal web services infrastructure.

"During our research, we were able to identify a feature in AWS Glue that could be exploited to obtain credentials to a role within the AWS service's own account, which provided us full access to the internal service API," explained Yanir Tsarimi in a blog post.

By interacting with the AWS command line interface, the researchers were able to see configuration data associated with the Glue default account - which can be delegated to perform actions on behalf of the AWS account holder - and from that were able to infer how to access data controlled by other AWS customers.

Orca Security bug sleuth Tzah Pahima found an XML External Entity vulnerability that allowed the bypassing of tenant boundaries and conferred privileged access to AWS resources.

"The server contained multiple service binaries containing AWS server-side logic, as well as configuration files for connecting to internal AWS endpoints and services."

"We are aware of an issue related to AWS Glue ETL and can confirm that no AWS customer accounts or data were affected," an Amazon spokesperson told The Register in an email.

News URL

https://go.theregister.com/feed/www.theregister.com/2022/01/13/orca_security_tells_aws_fail/