Connect with us

Hi, what are you looking for?

Hard News Hard Hitting News Source Global Political News

Cyber Security

AWS patches bypass bug in CloudTrail API monitoring tool

Amazon Web Services (AWS) has patched a bypass bug that attackers could exploit to circumvent CloudTrail API monitoring.

In a blog post dated January 17, Datadog Security Labs senior researcher Nick Frichette said the vulnerability impacts the CloudTrail event logging service, a data source for defenders examining API activities.

Event logging solutions can be crucial for defenders in detecting suspicious activities and performing forensic work following a security incident.

CloudTrail monitors and logs AWS environment events alongside API usage. However, according to the Datadog Security Research Team, a technique existed for bypassing logging systems, allowing threat actors to perform reconnaissance activities undetected in the IAM service.

The team tested two services, iam and iamadmi, which receive requests in the AWS Console. Datadog found that iamadmin was an undocumented API, and when calling endpoints such as ListMFADevicesForMultipleUsers – a wrapped for iam:ListMFADevices – there would be no event log in CloudTrail.

The team found 13 AIM methods that could be called, although some generated unexpected behavior.

“After playing with this technique for a while, it became clear that this was not intended functionality,” Frichette commented.

“Being able to bypass CloudTrail logging and getting the results of those calls has serious implications for defenders, because it limits their ability to track what an adversary has done in an environment and what actions they’ve taken.”

Furthermore, the researcher said that the same technique could make it possible to bypass Amazon’s GuardDuty, as CloudTrail is used as its data source.

Repercussions

By exploiting the flaw, attackers could perform reconnaissance activities. Speaking to The Daily Swig, Frichette explained that when the iamadmin service invokes IAM API calls, an attacker could, for example, trigger iam:ListGroupsForUser to “return what groups an IAM user was a part of.”

Furthermore, “iam:ListAttachedGroupPolicies would return what IAM policies are associated with an IAM group, which may reveal groups which are particularly privileged [and] iam:ListMFADevices would return if an IAM user has an MFA [multi-factor authentication] device attached to their account (useful for picking future targets)”.

An AWS spokesperson confirmed the existence of the vulnerability. However, it should be noted that the read-only APIs still applied customer-based authentication and authorization rules.

“The compromised entity must have sufficient privileges to invoke these actions, but with this vulnerability, they could perform these actions completely undetected,” Datadog noted.

Disclosure

The researchers reported the issue to AWS on March 10, 2022. Amazon’s security team acknowledged the report on the same day. Still, due to the complexity of internal changes required to remediate the bug, it wasn’t until October that a fix was pushed.

On October 24, AWS released a fix that updated iamadmin API calls to generate events in CloudTrail in the same manner as the iam service.

Advertisement. Scroll to continue reading.

An AWS spokesperson confirmed that the impacted API methods have been updated and no customer action is required.

“These types of vulnerabilities are not common,” Frichette says. “To my knowledge, there are no other publicly known vulnerabilities that allowed an attacker to bypass logging for AWS API actions that normally would be logged.”

Copyright 2021 Associated Press. All rights reserved.

Source: https://portswigger.net/daily-swig/aws-patches-bypass-bug-in-cloudtrail-api-monitoring-tool

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

You May Also Like

Cyber Security

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has given federal agencies three weeks to secure Adobe ColdFusion servers on their networks against two...

Cyber Security

Businesses and developers are focusing more on the security of applications in their digital environment as cyber threats and data breaches continue escalating. The...

Cyber Security

HCL BigFix is an endpoint management platform that has the capability to automate discovery, management, and remediation. It can find and fix vulnerabilities on...

Cyber Security

The Environmental Protection Agency cited a lack of resources and the sheer volume of critical vulnerabilities as the reasons for its inability to patch...

Copyright © 2023 Hard News Herd Hitting in Your Face News Source | World News | Breaking News | US News | Political News Website by Top Search SEO