Summary
An AWS-recommended IAM policy that enforced MFA on access keys could have been bypassed
due to a change implemented by AWS in November 2022 that allowed IAM users to assign
multiple MFA devices to their account. Prior to this change, an attacker that had compromised
credentials could not create and assign a new MFA device to bypass the MFA requirement as they
would need to first deactivate the user’s existing MFA device. Organisations using SSO which
enforces MFA, either via an external IdP or AWS SSO, were not affected by this issue.
Affected Services
AWS IAM
Remediation
None required
Tracked CVEs
No tracked CVEs
References
https://www.mwrcybersec.com/when-mfa-becomes-sfahttps://aws.amazon.com/security/security-bulletins/AWS-2023-001/
Contributed by https://github.com/0xdabbad00
Entry Status
Finalized
Disclosure Date
Thu, Jan 19th, 2023
Exploitablity Period
November 2022 until April 2023
Known ITW Exploitation
-
Detection Methods
-
Piercing Index Rating
-
Discovered by
Justin Moorcroft, MWR CyberSec
