medium

Launching EC2s did not require specifying AMI owner

Published Mon, Aug 13th, 2018

Platforms

Summary

Attackers had put malicious AMIs in the marketplace to abuse the CLI''s way of selecting what AMI to use. Although the concept of planting malicious AMIs had existed for a while (ex. in the 2009 presentation "Clobbering the clouds" by Nicholas Arvanitis, Marco Slaviero, and Haroon Meer) it had not been used specifically to target this issue with the CLI.

Affected Services

EC2

Remediation

Update CLI and other tools that create EC2s

Tracked CVEs

CVE-2018-15869

References

https://github.com/hashicorp/packer/issues/6584

Contributed by https://github.com/0xdabbad00

Entry Status

Finalized

Disclosure Date

Mon, Aug 13th, 2018

Exploitablity Period

Known ITW Exploitation

Detection Methods

Piercing Index Rating

Discovered by

Megan Marsh

More vulnerabilities...

low

Subdomain takeover via Azure Traffic Manager

Patrick Hudak demonstrated possible subdomain takeover using the Traffic Manager in Azure.

Patrick Hudak

Fri, Aug 10th, 2018

low

AWS ElasticSearch Index Name Leakage

Even for the AWS-managed ElasticSearch clusters that had not been made public, their index names could be learned.

Scott Piper, Duo Security

Tue, May 15th, 2018

medium

Bypassable and overly-privileged IAM policies

AWS has previously provided managed policies or guidance in documentation for policies with mistakes that allow them to be bypassed. Additionally, some policies are over-privileged. Date of disclos...

Multiple findings

Tue, Nov 7th, 2017

View all