Researchers from security company Datadog discovered a cross-tenant vulnerability in a popular Amazon Web Services (AWS) tool, which Amazon has now addressed.
What does the vulnerability do ?
The bug allows attackers to abuse AWS’ AppSync service and assume Identity and Access Management (IAM) roles in other AWS accounts. This gives an attacker the opportunity “to pivot into a victim organization and access resources in those accounts,” according to Datadog.
AppSync is a popular AWS service that allows developers to quickly create GraphQL and Pub/Sub Application Programming Interfaces (API), the researchers explained. In that process, a developer must create a data source that holds the data the GraphQL API interacts with.
“AWS moved immediately to correct this issue when it was reported,” it read. “Analysis of logs going back to the launch of the service have been conducted and we have conclusively determined that the only activity associated with this issue was between accounts owned by the researcher. No other customer accounts were impacted.”
In a proof of concept, they described it as a “confused deputy problem,” where an attacker convinces a service with higher-level privileges — AppSync, in this case — to perform an action for the attacker.
To do this, the researchers found a way to bypass the Amazon Resource Name (ARN) validation via a mixed-case JSON payload. Instead of a request using the normal “serviceRoleArn” case, they modified the request using an all lowercase “servicerolearn.”
The experts pointed out that AWS does have safeguards in place to prevent AppSync from assuming arbitrary roles by validating the role’s Amazon Resource Name (ARN). The check could be simply eluded by passing the “serviceRoleArn” parameter in a lower case.
An attacker can exploit the issue to provide the identifier of a role for a different AWS account.