medium

SNS SigningCertUrl improper validation

Published Fri, Aug 19th, 2022

Platforms

Summary

Amazon SNS' signature validation in the official SDK relied on a weak regex for default AWS certificate locations, that would incorrectly match an S3 bucket named `sns`. This bucket happened to be publicly readable and writeable, allowing an attacker to forge messages to any user of the official SDK SNS validator.

Affected Services

Amazon Simple Notification Service (SNS)

Remediation

None required

Tracked CVEs

No tracked CVEs

References

https://spaceraccoon.dev/exploiting-improper-validation-amazon-simple-notification-service/https://2022.cloud-village.org/#talks?collapseEugeneLim

Contributed by https://github.com/ramimac

Entry Status

Finalized

Disclosure Date

Exploitablity Period

Known ITW Exploitation

Detection Methods

Piercing Index Rating

Discovered by

Eugene Lim

More vulnerabilities...

medium

Cloud SQL escape to host

In GCP's case, they introduced a modification to the Cloud SQL's PostgreSQL engine allowing the role assigned to the tenant (cloudsqlsuperuser) to arbitrarily change the ownership of a table to any...

Shir Tamari, Nir Ohfeld, Sa...

Thu, Aug 11th, 2022

medium

Google Cloud Shell command injection

A vulnerability was discovered in Cloud Shell that enabled command injection and remote shell access. By manipulating the "project" parameter, an attacker could have cause an unencoded Python scrip...

Bugra Eskici

Wed, Aug 10th, 2022

low

S3 Replication only logs first destination bucket

If a malicious actor with prior access to an AWS environment has permission to modify the S3 Replication Service role access policy, they could abuse cross-account replication to exfiltrate stolen ...

Kat Traxler

Wed, Jul 20th, 2022

View all