These two major AWS security flaws could have left user accounts wide open

Patches were issued within six days

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

AmazonWeb Services (AWS) has been forced to patch two major security vulnerabilities, which could have been used to steal sensitive data, reports have claimed.

The two vulnerabilities in Amazon’scloudcomputingarmwere discovered by cybersecurity researchers from Orca Security, and were dubbed Superglue and BreakingFormation.

Superglue exploits an issue in AWS Glue, allowing users to access data managed by other Glue users. AWS Glue is a service which customers use to store huge swathes of data.

A fix within a day

A fix within a day

“We were able to identify a feature in AWS Glue that could be exploited to obtain credentials to a role within the AWS service’s own account,” Orca said, “which provided us full access to the internal service API. In combination with an internal misconfiguration in the Glue internal service API, we were able to further escalate privileges within the account to the point where we had unrestricted access to all resources for the service in the region, including full administrative privileges.”

By taking advantage of the flaw, Orca’s researchers managed to do a number of potentially malicious things, such as assume roles in AWS customer accounts trusted by Glue; query and modify AWS Glue service-related resources in a specific region; discovered a way to access data managed by other Glue users. It’s important to note that Orca did not actually gain access to anyone else’s data.

BreakingFormation leverages a vulnerability found in AWS CloudFormation, a tool that lets users “model, provision, and manage AWS and third-party resources by treating infrastructure as a code.”

According to Orca, this vulnerability could have been used to steal sensitive data from third parties.

Are you a pro? Subscribe to our newsletter

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Orca’s researchers tested the fixes (which allegedly took AWS roughly 25 hours to code) and found that the vulnerabilities were fully patched and no longer exploitable.

Via:PCMag

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

This new phishing strategy utilizes GitHub comments to distribute malware

Should your VPN always be on?

NYT Strands today — hints, answers and spangram for Sunday, November 10 (game #252)