medium

AWS CloudTrail bypass for specific IAM actions

Published Tue, Jan 17th, 2023

Platforms

Summary

Through an undocumented API service called 'iamadmin', attackers could invoke any of 13 read-only IAM actions without the activity being being logged to CloudTrail. These actions included listing group policies (iam:ListGroupPolicies), listing access keys (iam:ListAccessKeys), retrieving information about a role (iam:GetRole), and more. This could have enabled adversaries to perform enumeration and reconnaissance activity undetected after gaining a foothold in a victim AWS environment.

Affected Services

IAM

Remediation

None required

Tracked CVEs

No tracked CVEs

References

https://securitylabs.datadoghq.com/articles/iamadmin-cloudtrail-bypass/

Contributed by https://github.com/frichetten

Entry Status

Finalized

Disclosure Date

Thu, Mar 10th, 2022

Exploitablity Period

Until 2022/10/24

Known ITW Exploitation

Detection Methods

Piercing Index Rating

Discovered by

Nick Frichette, Datadog

More vulnerabilities...

high

XSS in Google Cloud Theia notebooks

This vulnerability chain exploits a Cross-Site Scripting (XSS) flaw (CVE-2021-41038) within the Theia IDE used in Google Vertex AI Workbench. An attacker could inject malicious JavaScript code into...

Sivanesh Ashok, Sreeram KL

Sun, Jan 15th, 2023

high

Bypassing authorization in Google Cloud Workstations

Several vulnerabilities were present in how Google Cloud Shell (ssh.cloud.google.com) handled OAuth credentials. These included an open-redirect vulnerability, where attackers could redirect users ...

Sivanesh Ashok, Sreeram KL

Fri, Jan 13th, 2023

high

SSH key injection in Google Cloud Compute Engine

Google Cloud Compute Engine (GCE) was vulnerable to SSH key injection by abusing an SSH-in-browser feature to change username and password. An attacker could send a specially-crafted link to a targ...

Sivanesh Ashok

Thu, Jan 12th, 2023

View all