Summary
The AWS RDS service does not enable secure transport layer security by default, allowing clients to connect insecurely.
Additionally, for the more commonly used MySQL and MariaDB RDS engine types, this setting cannot be enabled at all.
Affected Services
RDS
Remediation
For databases other than MySQL and MariaDB, modify the require_secure_transport or rds.force_ssl
values of the attached DB cluster parameter group. For MySQL and MariaDB there is no known workaround,
other than ensuring clients connect to these database types only within the VPC. In general, ensure that
RDS database instances without SSL/TLS enabled are not exposed over public networks.
Tracked CVEs
No tracked CVEs
References
https://kloudle.com/blog/aws-rds-does-not-force-clients-to-connect-using-a-secure-transport-layerhttps://kloudle.com/academy/fixing-the-default-insecure-network-connection-option-for-rds-instances
Contributed by https://github.com/riyazwalikar
Entry Status
Finalized
Disclosure Date
Sun, Dec 26th, 2021
Exploitablity Period
Ongoing
Known ITW Exploitation
-
Detection Methods
-
Piercing Index Rating
-
Discovered by
Riyaz Walikar, Kloudle
