Posts Tagged ‘CloudSecurity’
[DefCon32] DEF CON 32: Exploiting Cloud Provider Vulnerabilities for Initial Access
Nick Frichette, a cloud security expert, enthralled the DEF CON 32 audience with a deep dive into vulnerabilities within Amazon Web Services (AWS) that enable initial access to cloud environments. Moving beyond traditional misconfiguration exploits, Nick explored flaws in AWS services like AppSync and Amplify, demonstrating how attackers can hijack Identity and Access Management (IAM) roles. His presentation offered practical defensive strategies, empowering organizations to secure their cloud infrastructure against sophisticated attacks.
Understanding IAM Role Exploits
Nick began by explaining how IAM roles establish trust within AWS, relying on mechanisms like sts:AssumeRoleWithWebIdentity to prevent unauthorized access across accounts. He detailed a confused deputy vulnerability in AWS AppSync that allowed attackers to assume roles in other accounts, bypassing trust boundaries. Through a real-world case study, Nick illustrated how this flaw enabled unauthorized access, emphasizing the importance of understanding trust relationships in cloud environments to prevent such breaches.
Amplify Vulnerabilities and Zero-Day Risks
Delving deeper, Nick revealed a critical vulnerability in AWS Amplify that exposed customer IAM roles to takeover, granting attackers a foothold in victim accounts. His demonstration highlighted how adversaries could exploit this flaw without authentication, underscoring the severity of zero-day vulnerabilities in cloud services. Nick’s meticulous analysis of Amplify’s architecture provided insights into how such flaws arise, urging security practitioners to scrutinize service configurations for hidden risks.
Defensive Strategies for Cloud Security
Nick concluded with actionable recommendations, advocating for the use of condition keys in IAM trust policies to block cross-tenant attacks. He demonstrated how setting account-specific conditions thwarted his AppSync exploit, offering a defense-in-depth approach. Nick encouraged organizations to audit IAM roles, particularly those using web identity federation, and to test configurations rigorously before deployment. His work, available at Security Labs, equips defenders with tools to fortify AWS environments.
Links:
[DefCon32] AWS CloudQuarry: Digging for Secrets in Public AMIs
Eduard Agavriloae and Matei Josephs, security researchers from KPMG Romania and Syncubes, present a chilling exploration of vulnerabilities in public Amazon Machine Images (AMIs). Their project, scanning 3.1 million AMIs, uncovered exposed AWS access credentials, posing risks of account takeovers. Eduard and Matei share their methodologies and advocate for robust cloud security practices to mitigate these threats.
Uncovering Secrets in Public AMIs
Eduard opens by detailing their CloudQuarry project, which scanned millions of public AMIs using tools like ScoutSuite. They discovered critical findings, such as exposed access keys, that could enable attackers to compromise AWS accounts. Supported by KPMG Romania, Eduard and Matei’s research highlights the pervasive issue of misconfigured cloud resources, a problem they believe will persist due to human error.
Methodologies and Tools
Matei explains their approach, leveraging automated tools to identify public AMIs and extract sensitive data. Their analysis revealed credentials embedded in AMIs, often overlooked by organizations. By responsibly disclosing findings to affected parties, Eduard and Matei avoided exploiting these keys, demonstrating ethical restraint while highlighting the potential for malicious actors to cause widespread damage.
Risks of Account Takeover
The duo delves into the consequences of exposed credentials, which could lead to unauthorized access, data breaches, or ransomware attacks. Their findings, shared with companies expecting only T-shirts in return, underscore the ease of exploiting public AMIs. Eduard emphasizes the adrenaline rush of discovering such vulnerabilities, reflecting the stakes in cloud security.
Strengthening Cloud Security
Concluding, Matei advocates for enhanced configuration reviews and automated monitoring to prevent AMI exposures. Their collaborative approach, inviting community feedback, reinforces the importance of collective vigilance in securing cloud environments. By sharing their tools and lessons, Eduard and Matei empower organizations to fortify their AWS deployments against emerging threats.
Links:
[DefCon32] Breaching AWS Through Shadow Resources
The complexity of cloud environments conceals subtle vulnerabilities, and Yakir Kadkoda, Michael Katchinskiy, and Ofek Itach from Aqua Security reveal how shadow resources in Amazon Web Services (AWS) can be exploited. Their research uncovers six critical vulnerabilities, ranging from remote code execution to information disclosure, enabling potential account takeovers. By mapping internal APIs and releasing an open-source tool, Yakir, Michael, and Ofek empower researchers to probe cloud systems while offering developers robust mitigation strategies.
Uncovering Shadow Resource Vulnerabilities
Yakir introduces shadow resources—services that rely on others, like S3 buckets, for operation. Their research identified vulnerabilities in AWS services, including CloudFormation, Glue, and EMR, where misconfigured buckets allowed attackers to assume admin roles. One severe flaw enabled remote code execution, potentially compromising entire accounts. By analyzing service dependencies, Yakir’s team developed a methodology to uncover these hidden risks systematically.
Mapping and Exploiting Internal APIs
Michael details their approach to mapping AWS’s internal APIs, identifying common patterns that amplify vulnerability impact. Their open-source tool, released during the talk, automates this process, enabling researchers to detect exposed resources. For instance, unclaimed S3 buckets could be hijacked, allowing attackers to manipulate data or escalate privileges. This methodical mapping exposed systemic flaws, highlighting the need for vigilant resource management.
Mitigation Strategies for Cloud Security
Ofek outlines practical defenses, such as using scoped IAM policies with resource account conditions to restrict access to trusted buckets. He recommends verifying bucket ownership with expected bucket owner headers and using randomized bucket names to deter hijacking. These measures, applicable to open-source projects, prevent dangling resources from becoming attack vectors. Ofek emphasizes proactive checks to ensure past vulnerabilities are addressed.
Future Research and Community Collaboration
The trio concludes by urging researchers to explore new cloud attack surfaces, particularly internal API dependencies. Their open-source tool fosters community-driven discovery, encouraging developers to adopt secure practices. By sharing their findings, Yakir, Michael, and Ofek aim to strengthen AWS environments, ensuring that shadow resources no longer serve as gateways for catastrophic breaches.
Links:
[DefCon32] Secrets & Shadows: Leveraging Big Data for Vulnerability Discovery
Vulnerability discovery at scale requires rethinking traditional approaches, and Bill Demirkapi, an independent security researcher, demonstrates how big data uncovers overlooked weaknesses. By leveraging unconventional sources like virus scanning platforms, Bill identifies tens of thousands of vulnerabilities, from forgotten cloud assets to leaked secrets. His talk shifts the paradigm from target-specific analysis to correlating vulnerabilities across diverse datasets, exposing systemic flaws in major organizations.
Scaling Vulnerability Discovery
Bill challenges conventional methods that focus on specific targets, advocating for a data-driven approach. By analyzing DNS records for dangling domains and secret patterns in public repositories, he uncovers misconfigurations like exposed AWS keys. His methodology correlates these findings with organizational assets, revealing vulnerabilities that traditional scans miss. A case study highlights an ignored AWS support case, where a leaked key remained active due to a generic billing email.
Exploiting Forgotten Cloud Assets
Dangling domains, pointing to unclaimed IP addresses, offer attackers entry points to compromise services. Bill’s research identifies these through large-scale DNS analysis, exposing forgotten cloud assets in enterprises. By cross-referencing with cloud provider data, he maps vulnerabilities to specific organizations, demonstrating the devastating impact of seemingly trivial oversights.
Addressing Leaked Secrets
Leaked credentials, such as AWS access keys, pose significant risks when posted publicly. Bill’s use of virus scanning platforms to detect these secrets reveals a gap in provider responses—AWS, unlike Google Cloud or Slack, does not automatically revoke exposed keys. He proposes automated revocation mechanisms and shares a tool to streamline key detection, urging providers to prioritize proactive security.
Industry-Wide Solutions
Bill calls for systemic changes, emphasizing provider responsibility to revoke exposed credentials immediately. His open-source tools and methodology, available for community use, enable researchers to replicate his approach across vulnerability classes. By breaking down traditional discovery methods, Bill’s work fosters a collaborative effort to address ecosystem-wide security gaps.
Links:
[DefCon32] OH MY DC: Abusing OIDC All the Way to Your Cloud
As organizations migrate from static credentials to dynamic authentication protocols, overlooked intricacies in implementations create fertile ground for exploitation. Aviad Hahami, a security researcher at Palo Alto Networks, demystifies OpenID Connect (OIDC) in the context of continuous integration and deployment (CI/CD) workflows. His examination reveals vulnerabilities stemming from under-configurations and misconfigurations, enabling unauthorized access to cloud environments. By alternating perspectives among users, identity providers, and CI vendors, Aviad illustrates attack vectors that compromise sensitive resources.
Aviad begins with foundational concepts, clarifying OIDC’s role in secure, short-lived token exchanges. In CI/CD scenarios, tools like GitHub Actions request tokens from identity providers (IdPs) such as GitHub’s OIDC provider. These tokens, containing claims like repository names and commit SHAs, are validated by workload identity federations (WIFs) in clouds like AWS or Azure. Proper configuration ensures tokens originate from trusted sources, but lapses invite abuse.
Common pitfalls include wildcard allowances in policies, permitting access from unintended repositories. Aviad demonstrates how fork pull requests (PRs) exploit these, granting cloud roles without maintainer approval. Such “no configs” scenarios, where minimal effort yields high rewards, underscore the need for precise claim validations.
Advanced Configurations and Misconfigurations
Delving deeper, Aviad explores “advanced configs” that inadvertently become misconfigurations. Features like GitHub’s ID token requests for forks introduce risks if not explicitly enabled. He recounts discovering a vulnerability in CircleCI, where reusable configurations allowed token issuance to forks, bypassing protections.
Shifting to the IdP viewpoint, Aviad discloses a real-world flaw in a popular CI vendor, permitting token claims from any repository within an organization. This enabled cross-project escalations, compromising clouds via simple PRs. Reported responsibly, the issue prompted fixes, emphasizing the cascading effects of IdP errors.
He references Tinder’s research on similar WIF misconfigurations, reinforcing that even sophisticated setups falter without rigorous claim scrutiny.
Exploitation Through CI Vendors
Aviad pivots to CI vendor responsibilities, highlighting how their token issuance logic influences downstream security. In CircleCI’s case, a bug allowed organization-wide token claims, exposing multiple projects. By requesting tokens in fork contexts, attackers could satisfy broad WIF conditions, accessing clouds undetected.
Remediation involved opt-in mechanisms for fork tokens, mirroring GitHub’s approach. Aviad stresses learning claim origins per IdP, avoiding wildcards, and hardening pipelines to prevent trivial breaches.
His tool for auditing Azure CLI configurations exemplifies proactive defense, aiding in identifying exposed resources.
Broader Implications for Secure Authentication
Aviad’s insights extend beyond CI/CD, advocating holistic OIDC understanding to thwart supply chain attacks. By dissecting entity interactions—users, IdPs, and clouds—he equips practitioners to craft resilient policies.
Encouraging bounty hunters to probe these vectors, he underscores OIDC’s maturity yet persistent gaps. Ultimately, robust configurations transform OIDC from vulnerability to asset, safeguarding digital infrastructures.