low

CloudFormer review

Published Fri, Sep 25th, 2020

Platforms

Summary

An audit of an AWS open-source project identified a great deal of issues, and as a result AWS made the decision to take it down.

Affected Services

CloudFormer

Remediation

None required

Tracked CVEs

No tracked CVEs

References

https://blog.karims.cloud/2020/09/25/cloudformer-review-part-1.html

Contributed by https://github.com/0xdabbad00

Entry Status

Finalized

Disclosure Date

Fri, Sep 25th, 2020

Exploitablity Period

Known ITW Exploitation

Detection Methods

Piercing Index Rating

Discovered by

Karim El-Melhaoui, O3 Cyber

More vulnerabilities...

high

CloudFormation resource provider credentials leak

CloudFormation allows the use of Lambda-backed resource providers, wherein Lambda can be used to write custom provisioning logic to be executed during CloudFormation stack operations. The aforement...

Aidan Steele

Tue, Sep 22nd, 2020

low

Timing attack with Lambda and CloudWatch Synthetics

The immutability of Lambda versions could be violated via a timing attack against CloudWatch Synthetics canaries.

Ian Mckay

Tue, Sep 15th, 2020

low

CloudFormation denial of service (in a single account)

An attacker with the ability to create CloudFormation stacks could cause a denial-of-service on some CloudFormation actions within a single AWS account.

Ian Mckay

Tue, Sep 1st, 2020

View all