Marco Balduzzi, Jonas Zaddach, Davide Balzarotti, Engin Kirda, Sergio Loureiro

Researchers, while investigating the security posture of Public AMIs, were
able to undelete files from an official image that was published by Amazon AWS.


AWS published official AMIs with recoverable deleted files

AWS identified two vulnerabilities in specific versions of native clients for Amazon WorkSpaces, Amazon AppStream 2.0, and Amazon DCV. These issues could allow man-in-the-middle attacks, potentially giving attackers access to remote sessions. Affected versions include WorkSpaces clients 5.20.0 or earlier, AppStream 2.0 Windows client 1.1.1326 or earlier, and various DCV clients. AWS recommends upgrading to patched versions to address these security concerns.


Issue with Amazon WorkSpaces and AppStream 2.0 Clients

Azure Active Directory Seamless Single Sign-On feature allowed single-factor brute-force attacks
against Azure AD without generating sign-in events in the targeted organization’s tenant.


Azure AD Seamless SSO logging bypass

Liv Matan

Amazon Managed Workflows for Apache Airflow (MWAA) and the Task instance details
page in the Google Composer UI were not patched against CVE-2023-29247 (Stored XSS).
This meant that post-authentication, a threat actor could have exploited this
to store their JavaScript payload in the victim's managed Apache Airflow instance
and run JavaScript on behalf of the victim (who could be an admin or another
user with higher permissions than the threat actor, thereby leading to privilege escalation).
With JavaScript, threat actors could have run any operation in the session that the victim
is able to run — edit tasks, read jobs, run jobs, read plugins and configurations, 
list connections, add variables and more.


ApatchMe

Emilien Socchi

Azure Cognitive Search (ACS) is a full-text search engine service.
A new non-default feature allowed for a network control to bypassed, permitting an attacker to submit search queries to any other tenant's network-isolated ACS instance. However, abusing this required a valid API key 
to access the data plane of the target, along with a number of pieces of information about the target environment (such as the subscription ID and the name of the index to query).


ACSESSED

Azure API Management is an API gateway service meant to help organizations to create, manage, secure,
and monitor APIs across all of their environments. Researchers found three high severity vulnerabilities
in the service, two of which are SSRF (Server Side Request Forgery) vulnerabilities, and the third is a
path traversal bug. The SSRF issues affected the Azure API Management CORS proxy (which handles schema
retrieval) and hosting proxy (which routes API requests to the correct server). An attacker successful
in exploiting each of these SSRF vulnerabilities could fake requests from these legitimate servers and
thereby gain access to internal Azure services. However, the researchers did not determine the effective
impact of this access level, and it's therefore possible that Azure had security measures in place which
would have blocked further lateral movement. The path-traversal vulnerability allowed for an unrestricted
file upload to the Azure developer portal server. The portal's authenticated mode allows users to upload
static files and images to be displayed within the portal website, but this vulnerability could have allowed
an attacker to upload code instead, and then potentially execute it on the server itself.


API Management SSRF and path traversal vulnerabilities

Juho Nurminen

The @actions/core package had a delimiter injection vulnerability in the exportVariable function. Attackers could use a known delimiter to break out of a specific variable and assign values to other arbitrary variables. This may have allowed modification of path or environment variables without the intention of workflow or action authors.


Actions Core Delimiter Injection Vulnerability

Lidor Ben Shitrit

By misusing the Apiary web service and taking advantage of Apiary's use of IMDSv1,
a remote attacker is able to retrieve sensitive information from various endpoints
and use it to gain more access and sensitive data of other hosts in the same environment.


Oracle Apiary SSRF

Ian Duffy

Full administrative access to the Azure Red Hat Enterprise Linux Appliance REST API was publicly exposed.
It allowed malicious actors uploading packages that would be acquired by client virtual machines on their next yum update. 
The vulnerable infrastructure supplies all the packages for all Red Hat Enterprise Linux instances booted from the Azure marketplace.


Public admin access to Azure's Red Hat Update Infrastructure

Nick Frichette

The API action ListObservabilityConfigurationsForAccount did not properly validate the 
"AccountId" parameter that was passed to it. As a result, any account ID could be provided 
and the API would return the information for that account. This would leak minor information
about the observability configuration for App Runner in the account.


App Runner cross-tenant observability config info leak

s1r1us

AI Hub Jupyter Notebook server lacked a check of the Origin header that
led to a CSRF vulnerability. An attacker could have read sensitive data and execute
arbitrary actions in customer environments.


AI Hub Jupyter Notebook instance CSRF

The API action ListVpcConnectorsForAccount did not properly validate the "AccountId" parameter
that was passed to it. As a result, any account ID could be provided and the API would return
the information for that account. This would leak minor information about the VPC 
configuration for App Runner in the account including the subnet ID, security group ID, and the
VPC Connector ARN.


App Runner cross-tenant VPC connectors info leak

James Kettle (Portswigger), Arkadiy Tetelman (Chime)

ALBs found vulnerable to HTTP request smuggling (desync attack).


ALB HTTP request smuggling

Jackson Reid

Asset Key Thief was a Google Cloud 
privilege escalation vulnerability that enabled 
principals with the "Cloud Asset Viewer" role (or other roles 
with the `cloudasset.assets.searchAllResources` permission) on the 
Cloud Asset Inventory API, at the Project, Folder, or Organization level 
to view and exfiltrate any user-managed Service Account 
private key under a project within the same Google Cloud environment that 
had been created or rotated up to a maximum of 12 hours ago. 
Access to Service Account private keys enable the full assumption 
of that Service Account's identity and privileges, which would have given 
attackers with existing access to a Google Cloud environment a persistent and reliable
method of lateral movement and privilege escalation. Google has since fixed this 
vulnerability, but affected customers must rotate their keys manually.


Asset Key Thief

Daniel Grzelak

3rd party vendors can (and sometimes do) incorrectly implement sts:ExternalId in their
AWS role trust policies, leading to confused deputy issues. These misconfigurations could
allow customers to access other customers' data. Although vendors are responsible for
ensuring their own configurations are correct, AWS could theoretically add mitigations
to prevent and detect this issue.


3rd party vendor confused deputy via AssumeRole

Elad Gabay

Any unattached storage volume, or attached storage volumes allowing multi-attachment,
could have been read from or written to as long as an attacker knew their Oracle Cloud Identifier (OCID),
allowing sensitive data to be exfiltrated or even more impactful attacks to be initiated via
executable file manipulation in the target tenant's environment.


AttachMe

Yanir Tsarimi

An exposed endpoint in the Azure Automation Service allowed to steal Azure
API credentials from other customers


AutoWarp

AWS identified an issue in the Amazon WorkSpaces Windows client which resulted in unintentionally logging
connection debugging information to a user's local system. This data could include usernames or passwords
if they contain specific characters: \ (backslash) or " (double quotes). If an attacker gained access to
an Amazon WorkSpaces user's machine, they could then compromise such credentials from the log.


Amazon WorkSpaces Windows client credential logging

Johann Rehberger

An Indirect Prompt Injection attack can cause the LLM to return
markdown tags. This allows an adversary who’s data makes it into
the chat context (e.g via an uploaded file) to achieve data
exfiltration of the victim’s data by rendering hyperlinks.


Amazon Q for Business Data Exfiltration

The AWS Amplify service was found to be misconfiguring IAM roles associated 
with Amplify projects. This misconfiguration caused these roles to be assumable 
by any other AWS account. Both the Amplify Studio and the Amplify CLI 
exhibited this behavior. Any Amplify project created using the Amplify CLI
built between July 3, 2018 and August 8, 2019 had IAM roles that were assumable by
anyone in the world. The same was true if the authentication component was removed
from an Amplify project using the Amplify CLI or Amplify Studio built between
August 2019 and January 2024. AWS mitigated this vulnerability through backend changes to
STS and IAM, and also released a patch for the Amplify CLI to ensure that newly
created roles are properly configured in accordance with these changes.


AWS Amplify IAM role publicly assumable exposure

Researchers at Omegapoint identified two issues in AWS API Gateway authorizers: 1) A header rewrite feature could be abused to bypass authorization by overwriting headers after the authorizer lambda processed them. 2) Caching of authorization policies could be exploited to reuse cached policies with modified identification sources, bypassing the authorizer.


AWS API Gateway Header Smuggling and Cache Confusion

Daniel Thatcher

A flaw in AWS API Gateway enabled hiding HTTP request headers. Tampering
with HTTP requests visibility enabled bypassing IP restrictions, cache poisoning
and request smuggling.


AWS API Gateway HTTP header smuggling

AppFlow had an undocumented service called sandstoneconfigurationservicelambda. 
An undocumented field (awsOwnedManagedAppCredentialsArn) could be used during
connector registration and connector updates. Specifying a victim's Secret ARN
as that field disclosed the clientId and clientSecret, so long as the victim
Secret ARN belonged to a connection profile which is of the type 
OAuth or contains clientId and clientSecret.


AWS AppFlow secrets disclosure

The AppFlow WooCommerce connector allowed specification of a full URL.
The connector included details of response content when the URL
offered an unexpected response. This means you could make arbitrary
GET requests to any URL from the WooCommerce connector, and view the 
response content. The response in the error was truncated to 500 characters.


AWS AppFlow WooCommerce SSRF

Saransh Rana

Credentials can be extracted from AppStream. When used, they obscure
the sourceIP and userName of the initial user. The sourceIP appears 
as appstream.amazonaws.com.


AWS AppStream Cloudtrail Bypass

The AWS AppSync service could be coerced to assume arbitrary roles in
other customers' accounts which trusted the AppSync service. This was
due to insufficient validation of a serviceRoleArn parameter (caused by
a case-sensitivity parsing issue). With this vulnerability, if an adversary
knew the ARN of the role associated with AppSync in the target account,
they could use it invoke arbitrary AWS API calls.


AWS AppSync confused deputy via ServiceRoleArn

Felix Wilhelm

Amazon Elastic Kubernetes Service (EKS) uses IAM to provide authentication to the cluster
through the AWS IAM Authenticator for Kubernetes (aws-iam-authenticator). Multiple issues
were identified in the authenticator that could have allowed exploitation, namely (1) a
lax regular expression used to verify presigned URLs; (2) HTTP client redirect follow
(due to using Golang HTTP client in its default configuration); (3) use of the Golang URL.Query
function (which silently drops parameters that Go considers invalid, rather than raising
an error and rejecting invalid tokens); and (4) no verification that the cluster uses Go
versions newer than 1.12 (as older versions are vulnerable to request smuggling).


Multiple issues in AWS IAM Authenticator for Kubernetes

AWS identified a security issue in the AWS CDK CLI versions 2.172.0-2.178.1 where temporary credentials from custom credential plugins could be printed to console output. This potentially exposes sensitive information to users with access to the console. The issue affects plugins that include an expiration property when returning temporary credentials.


AWS CDK CLI Issue with Custom Credential Plugins

Ofek Itach, Yakir Kadkoda

The AWS Cloud Development Kit (CDK) is a way of deploying infrastructure-as-code. The vulnerability involves AWS CDK’s use of a predictable S3 bucket name format
(cdk-{Qualifier}-assets-{Account-ID}-{Region}), where the default “random” qualifier (hnb659fds) is common and easily guessed. If an AWS customer deletes this bucket and reuses CDK, 
an attacker who claims the bucket can inject malicious CloudFormation templates, potentially gaining admin access. Attackers supposedly only need the AWS account ID to prepare the bucket 
in various regions, exploiting the default naming convention. However, it is important to note that the additional conditions greatly lower the likelihood of exploitation. 
The victim must use the CDK, having deleted the bucket, and then subsequently attempt to deploy with the CDK. Making it so that even if there is a vulnerable account, it could be months, 
if ever for the attack to work.


AWS CDK Bucket Squatting Risk

The AWS Client VPN service was found to be affected by two
vulnerabilities which could potentially allow malicious actors with access to
a user’s device to execute arbitrary commands with elevated privileges,
including escalating to root access. Both vulnerabilities stem from buffer
overflow issues, a common programming error that can be exploited to overwrite
memory and gain unauthorized control over a system. The impact of these
vulnerabilities is severe, as successful exploitation could lead to complete
compromise of an affected device. Attackers could gain access to sensitive
data, install malware, or disrupt system operations. Given the widespread use
of AWS Client VPN for secure remote access, the potential for widespread
exploitation is a significant concern. AWS has acted swiftly to address these
vulnerabilities, releasing updated versions of the Client VPN software for all
supported platforms. However, the onus is on users to promptly apply these
updates to mitigate the risk.


AWS Client VPN buffer overflow

If attacker controlled data is viewed in Cloudshell it could have led to
code execution. This exact same issue existed in Azure previously.


AWS CloudShell terminal escape

Carlos Polop

An attacker with elevated permissions in CodeBuild could leak 
the configured credentials for Github/Bitbucket. This was possible by 
configuring the http_proxy and https_proxy variables, which would allow 
you to capture the credentials via MITM.


The Open Cloud Vulnerability
& Security Issue Database

Tags:

Recently published

Entra ID actor token validation bug allowing cross-tenant global admin

Dirk-jan Mollema, Outsider ...

Dataform cross-tenant path traversal

Unknown

AWS ECS Agent Information Disclosure Vulnerability

Amazon Web Services

Remote Prompt Injection in GitLab Duo Leaks Source Code

Omer Mayraz, Legit Security

AWS Security Tool Introduces Privilege Escalation Risk

Eliav Livneh, Token Security

FreeRTOS and coreSNTP Security Advisories

sweeneyirrigreen

The Open Cloud Vulnerability & Security Issue Database