"AWS Fixes 'Confused Deputy' Vulnerability in AppSync"

Amazon Web Services (AWS) has patched a cross-tenant vulnerability in AWS AppSync that could allow malicious actors to use the cloud service to assume identity and access management roles in other AWS accounts, gaining access to and control over those resources. On September 1, Datadog security researchers discovered the bug and reported it to AWS. Five days later, an update was released to the AppSync service, which Datadog confirmed resolved the issue. According to AWS, no customers were affected by the vulnerability, and no customer action is required. AWS AppSync gives application developers a GraphQL interface to combine data from Amazon DynamoDB, AWS Lambda, and external Application Programming Interfaces (APIs). Developers can create integrations to allow AppSync to directly call APIs by setting up a role that grants AppSync the necessary Identity and Access Management (IAM) permissions. Since Datadog integrates with AppSync, security researchers at the company wanted to see if they could trick the AWS service into assuming a role and then accessing and controlling resources from other data sources. They described it as a confused deputy problem in a proof of concept, where an attacker convinces a service with higher-level privileges to perform an action for the attacker. The researchers used a mixed-case JSON payload to circumvent Amazon Resource Name (ARN) validation. An attacker could cross account boundaries and execute AWS API calls in victim accounts via IAM roles that trusted the AppSync service after bypassing the ARN validation. Using this method, attackers could breach AppSync-enabled organizations and gain access to resources associated with those roles. This would enable the attacker to interact with the data source as if they were the owner of it. This article continues to discuss the fix and potential impact of the vulnerability found in AWS AppSync.

The Register reports "AWS Fixes 'Confused Deputy' Vulnerability in AppSync"