Presented at
Black Hat USA 2021,
Aug. 4, 2021, 3:20 p.m.
(40 minutes)
<div><span>Multiple AWS services were found to be vulnerable to a new cross-account vulnerability class. An attacker could manipulate various services in AWS and cause them to perform actions on other clients' resources due to unsafe identity policies used by AWS services to access clients' resources. The vulnerabilities have been proven on three major AWS services (AWS Config, Cloudtrail, and Serverless Repository) and have allowed a potential attacker to write and read certain objects from private S3 buckets.</span></div><div><span><br></span></div><div><span>In this presentation, we will review the discovered vulnerabilities and explain their root cause. We will show how an attacker can perform actions on any account in AWS using these services via the discovered cross-account vulnerability. We believe this is a new class of vulnerabilities that may affect many other services in AWS because the tenant scope is implicitly defined in AWS IAM policies, causing services that allow multi-tenant access to perform unintended actions.</span></div><div><span><br></span></div><div><span>While reporting and working with the AWS security team on resolving these issues, we concluded that the process of updating IAM-related vulnerabilities is sub-optimal. Although AWS acted very quickly to fix the issues, the cloud provider relies on customers to perform the IAM policy updates, which often does not happen. IAM vulnerabilities are not tracked by NIST, do not have a CVE, and do not have scanning tools that provide IAM vulnerability scanning results. The result is that most customers are running with vulnerable IAM policies and have no process to fix them. Furthermore, we discovered that AWS issues hundreds of security updates to its IAM policies, but security teams lack tools to scan for them and prioritize fixing them. It is vital to raise the community awareness of the issue of IAM CVEs because identity-related vulnerabilities are a key attack surface in cloud environments.</span></div><div><span><br></span></div><div><span>We will review the specific mitigations provided to the IAM vulnerabilities we found and discuss the current gaps in the way the vulnerability management process for IAM is handled today.</span></div>
Presenters:
-
Ami Luttwak
- Co-Founder & Chief Technology Officer, Wiz.io
Ami Luttwakis is a serial entrepreneur, an experienced cyber security CTO and a hacker at heart. Ami is mainly interested in cloud security and cloud exploits and understanding how the cloud is built to uncover its weaknesses. Ami is currently CTO of Wiz, the fastest growing unicorn in cloud security, and prior to that led research as CTO of Microsoft cloud security and founded Adallom, a pioneering cloud security start-up acquired by Microsoft in 2015.
-
Shir Tamari
- Head of Research, Wiz.io
Shir Tamari is an experienced security and technology researcher specializing in vulnerability research and practical hacking. Shir is currently Head of Research of the cloud security company Wiz. In the past, he served as a consultant to a variety of security companies in the fields of research, development and product. Shir is also a member of the 5BC CTF team.
Links:
Similar Presentations: