Summary
AWS applies a rate limit to authentication requests made to the AWS Console
in an effort to prevent brute-force and credential stuffing attacks. However,
a weakness was discovered in the AWS Console authentication flow that allowed
a partial bypass of this rate limit by pausing for 5 seconds every 30 attempts.
This would enable an attacker to continuously attempt more than 280 passwords
per minute (4.6 per second) against IAM users, which could have resulted in
account compromise of users without MFA enabled.
Affected Services
AWS Console
Remediation
None required
Tracked CVEs
No tracked CVEs
References
Contributed by https://github.com/korniko98
Entry Status
Finalized
Disclosure Date
Wed, Dec 7th, 2022
Exploitablity Period
Until January 26th, 2023
Known ITW Exploitation
-
Detection Methods
Detect potential brute-force behavior using the CloudTrail ConsoleLogin event.
Piercing Index Rating
-
Discovered by
Christophe Tafani-Dereeper, Datadog
