high

Lake Formation data lake admin override

Published Thu, Aug 15th, 2019
Platforms

Summary

Shortly after Lake Formation was made generally available, a bug was discovered that gave anyone the ability to view and override data lake admins for any account (an attacker would have only needed to know the target account number in advance). The root cause was in the Catalog ID, which references the Glue metadata store that Lake Formation uses to store its configuration - none of the methods that used this field actually checked for permissions on the account it was accessing, only the source account. Moreover, CloudTrail was only writing the log to the source account, so anyone auditing the destination account would not have been able to observe any suspicious activity. Following disclosure, AWS fixed the bug.

Affected Services

Lake Formation

Remediation

None required

Tracked CVEs

No tracked CVEs

References

Contributed by https://github.com/korniko98
Entry Status
Finalized
Disclosure Date
Thu, Aug 15th, 2019
Exploitablity Period
-
Known ITW Exploitation
-
Detection Methods
-
Piercing Index Rating
-
Discovered by
Ian Mckay

More vulnerabilities...

medium

AWS IAM role credential exfiltration via EC2 Instance Metadata Service (IMDSv1)

AWS offers a metadata service accessible to most EC2 Instances via a simple GET request to 169.254.169.254. If an instance has an SSRF vulnerability, attackers can access the metadata service & exf...

high

IAM privilege escalation via undocumented CodeStar API

The AWS CodeStar service had an undocumented API (codestar:CreateProjectFromTemplate) that allowed users with broadly-scoped CodeStar permissions to create a CodeStar project. As part of the creati...

...
Spencer Gietzen, Rhino Secu...

low

VPC Hosted Zones unauditable

For 6 years, it was not possible to see what hosted zones an attacker may have created in an account. This issue could be viewed as a business decision that adding the ability to viewing this data ...

...
Ryan Gerstenkorn

View all