low

VPC Hosted Zones unauditable

Published Fri, May 24th, 2019

Platforms

Summary

For 6 years, it was not possible to see what hosted zones an attacker may have created in an account. This issue could be viewed as a business decision that adding the ability to viewing this data was not worthwhile, but the delay is significant and would allow someone that had compromised an environment to maintain a backdoor.

Affected Services

N/A

Remediation

Audit your VPC hosted zones

Tracked CVEs

No tracked CVEs

References

https://twitter.com/__steele/status/1273748905826455552 https://blog.ryanjarv.sh/2019/05/24/backdooring-route53-with-cross-account-dns.html

Contributed by https://github.com/RyanJarv

Entry Status

Finalized

Disclosure Date

Mon, May 13th, 2019

Exploitablity Period

Known ITW Exploitation

Detection Methods

Piercing Index Rating

Discovered by

Ryan Gerstenkorn

More vulnerabilities...

medium

Impersonate GCP Organization Through the Organizations Update Method

A GCP Organizations name could be changed through the (deprecated) organizations.update method in the Resource Manager, even though the documentation said the "displayName" was read-only. With thi...

Ezequiel Pereira

Sun, Jan 20th, 2019

medium

Azure Cloud Shell terminal escape

If attacker controlled data is viewed in Cloudshell it could have led to code execution. This exact same issue was later discovered in AWS as well.

Felix Wilhelm, Google

Wed, Jan 9th, 2019

low

Resource policy confused deputy issue with services

Resource policies lacked a way of restricting service access to only your own account, allowing an attacker to leverage a service to potentially access your resources. Originally discovered by Dan ...

Dan Peebles, Bridgewater

Wed, Nov 28th, 2018

View all