"New Vulnerabilities Highlight Risks of Trust in Public Cloud"

Amazon Web Services (AWS) has fixed two vulnerabilities contained by its core services. According to Orca Security, the exploitation of one of the flaws could have allowed any user to access and take over any company's infrastructure. Although the vulnerabilities have now been fixed, the attack chain involving compromising a core service, escalating privileges, and using those privileges to attack other users, also affects users on different cloud services. Yoav Alon, chief technology officer at Orca Security, says the method impacts many other cloud vendors. The root of the problem is that there is a lack of isolation between services and little granularity in the permissions of different services and users. The most critical of the two vulnerabilities was discovered in AWS Glue, a serverless integration service that lets AWS users manage, clean, and transform data. Attackers could have used this flaw to compromise the service and gain administrative privileges. Since the AWS Glue service is trusted, the attackers could have used their role to access other users' environments. Orca's researchers were able to escalate privileges to the point where they had unrestricted access to all the service's resources in the region, including complete administrative privileges. The second vulnerability was found in AWS CloudFormation (CF), a service that enables users to provision resources and cloud assets. This flaw allowed the researchers to compromise a CF server and run as an AWS infrastructure service. It is an XML External Entity (XXE) issue that could have allowed attackers to penetrate protections implemented to isolate different AWS users. These vulnerabilities highlight the advantages and weaknesses of the cloud model. Cloud providers are encouraged to improve isolation between their services to prevent malicious actors from abusing flaws in a core service to compromise the security model of the overall cloud. This article continues to discuss the two major AWS security flaws and how these vulnerabilities highlight the risk of trust in the public cloud. 

Dark Reading reports "New Vulnerabilities Highlight Risks of Trust in Public Cloud"