Connect with us

Hi, what are you looking for?

Hard News Hard Hitting News Source Global Political News

Cyber Security

Vulnerability in AWS AppSync allowed unauthorized access to cloud resources

A vulnerability in Amazon Web Services (AWS) AppSync enabled unauthorized cross-account access to AWS resources, according to the findings of security researchers.

AppSync is a service that allows developers to create serverless GraphQL and Pub/Sub APIs. When creating GraphQL API with AppSync, developers must specify the data source that stores or has access to the data the API will interact with, such as Lambda functions, DynamoDB, RDS, and external APIs.

Tricking AppSync

One of the features of AppSync is to directly invoke AWS APIs such as Amazon S3. To do this, the developer must create a role that has access to the target resource. The developer then creates a “trust policy”, a JSON document that allows AppSync to assume that role.

Researchers at DataDog Security Labs were interested in seeing if they could somehow use the trust policy to trick AppSync to give them unauthorized access to other AWS accounts.

AWS protects against this kind of attack by making sure the AppSync endpoint and the target resource are in the same account.

This validation is performed through Amazon Resource Name (ARN), the unique identifier of the AWS resource.

The researchers at DataDog found that they could bypass the ARN validation by simply changing the letter case of the JSON field for the ARN.

This enabled them to create AppSync data sources that could be tied to other AWS accounts. Using this loophole, they could interact with any resource associated with a role that trusts the AWS AppSync service in any account.

In a proof of concept, the researchers show how an attacker could exploit the vulnerability to obtain full control of a cloud-hosted database.

Difficult detection

Since the logs generated by the attack indicate all activity is coming from the AppSync service, detecting the attack would be difficult. Therefore, if the attacker knew the ARN of the AppSync role and the resources they wanted to access, the logs would indicate normal activity.

However, under normal circumstances, the attacker would need to do some brute force probing to find the target resources, which would result in an unusual amount of AccessDenied events in the AWS log. Administrators would also be able to detect attacks by looking for anomalous behavior, such as an AppSync service accessing an AWS resource for the first time.

Amazon patched the vulnerability in AppSync in September, while the research blog post was published this week. According to the company, there were no indications of the vulnerability having been exploited in the wild.

“[We] have conclusively determined that the only activity associated with this issue was between accounts owned by the researcher. No other customer accounts were impacted,” Amazon said in a statement.

Copyright 2021 Associated Press. All rights reserved.

Source: https://portswigger.net/daily-swig/vulnerability-in-aws-appsync-allowed-unauthorized-access-to-cloud-resources

Advertisement. Scroll to continue reading.
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

You May Also Like

Cyber Security

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has given federal agencies three weeks to secure Adobe ColdFusion servers on their networks against two...

Cyber Security

Businesses and developers are focusing more on the security of applications in their digital environment as cyber threats and data breaches continue escalating. The...

Cyber Security

HCL BigFix is an endpoint management platform that has the capability to automate discovery, management, and remediation. It can find and fix vulnerabilities on...

Cyber Security

The Environmental Protection Agency cited a lack of resources and the sheer volume of critical vulnerabilities as the reasons for its inability to patch...

Copyright © 2023 Hard News Herd Hitting in Your Face News Source | World News | Breaking News | US News | Political News Website by Top Search SEO