medium

ELB Cache mechanism HTTP header smuggling

Published Tue, May 17th, 2022

Platforms

Summary

While testing rate-limiter protection, The researcher noticed that when forcing HTTP/1 requests and injecting a space after `X-Forwarded-For` he was able to override this specific header, letting him impersonate any IP. Any internal header could have beem overridden, also the one that should not be exposed/forwarded by the client, such as `CloudFront-Viewer-Country-Region` or any other `CloudFront` enhanced header. This special security issue was affecting all AWS users with that a specific setting enabled.

Affected Services

ELB

Tracked CVEs

No tracked CVEs

References

https://twitter.com/nJoyneer/status/1526593840928411650 https://raw.globalsecuritydatabase.org/GSD-2022-1002524

Contributed by https://github.com/mhgeay

Entry Status

Finalized

Disclosure Date

Sun, Jan 24th, 2021

Exploitability Period

Fixed on 2022/01/29

Known ITW Exploitation

Detection Methods

None

Piercing Index Rating

Discovered by

Andrea Brancaleoni, Brave

More vulnerabilities...

critical

Synlapse

Azure Synapse Analytics and Azure Data Factory were vulnerable to cross-tenant access and code execution. This was made possible via a combination of (1) a shell injection RCE vulnerability in the ...

Tzah Pahima, Orca SecurityMay 9, 2022

low

AWS package backfill attack

Two malicious versions were created of packages previously used by AWS. The packages were officially authored and maintained by AWS before they were removed by their legitimate author, and once the...

Mend DiffendMay 1, 2022

critical

ExtraReplica

A chain of critical vulnerabilities was discovered in Azure Database for PostgreSQL Flexible Server, allowing unauthorized read access to other customers’ PostgreSQL databases, thus bypassing tenan...

Sagi Tzadik, Nir Ohfeld, Sh...Apr 28, 2022

View all