Experts Discover Vulnerabilities in AWS AppSyncSecurity Affairs

Amazon Web Services (AWS) fixed a cross-tenant vulnerability that could allow an attacker to gain unauthorized access to resources.

Amazon Web Services (AWS) addressed a cross-tenant obfuscated proxy issue in its platform that could allow a threat actor to gain unauthorized access to resources. Datadog researchers reported the issue to the company on September 1, 2022, and the bug was resolved on September 6.

The confused proxy problem arises when an entity that does not have permission to perform an action can force an entity with higher authority to perform that action.If the owner provides a third party (called cross account) or other AWS services (called cross service) to access resources in your account.

The question is about the AppSync service in AWS, which allows developers to quickly create GraphQL and Pub/Sub APIs.

“We discovered a cross-tenant vulnerability in Amazon Web Services (AWS) that exploits AWS AppSync.” Read the report published by Datadog. “This attack abuses the AppSync service to assume IAM roles in other AWS accounts, which allows the attacker Turn to victim organizations and access resources in those accounts

Amazon investigated potential exploitation of this issue in an attack in the wild and determined that no customers were affected.

“A security researcher recently disclosed a case-sensitive parsing issue in AWS AppSync that could be used to bypass the service’s validation of cross-account role usage and act as a service across customer accounts.” read Advisory issued by Amazon.

“No customers were impacted by this issue, and no customer action was required. AWS took immediate action to correct the issue when it was reported. Logs traced back to service startup were analyzed and we determined that the only Activity was between accounts owned by the researcher. No other customer accounts were affected.”

In an attack scenario, a less privileged entity (the attacker) can force a privileged entity or service (AppSync) to perform certain actions on its behalf.

Experts point out that in order to authorize the actions AppSync will perform, developers create a role with the required IAM permissions (or AppSync can create it automatically on their behalf). The created role will have a trust policy that allows the AppSync service to assume the role.

Using the S3 example, if a developer were building the API, they would create a role with the required S3 permissions and allow AppSync to assume that role. When calling that GraphQL API, AppSync will assume that role, making the AWS API call and interpreting the results.

Experts point out that AWS does have safeguards in place to prevent AppSync from assuming arbitrary roles by validating the role’s Amazon Resource Name (ARN). The check can be simply circumvented by passing the “serviceRoleArn” parameter in lowercase.

An attacker could exploit this issue to provide role identifiers for different AWS accounts.

“This vulnerability in AWS AppSync allows an attacker to cross account boundaries and execute AWS API calls in a victim account through an IAM role that trusts the AppSync service. Using this approach, an attacker could compromise an organization using AppSync and gain access to those access rights to resources associated with the role.” Summary report. “After discovering this vulnerability, we contacted the AWS security team and they quickly fixed the issue.”

Follow me on Twitter: @securityaffairs and Facebook and mastodon

Pierluigi Paganini

(security affairs Hacking, Amazon Web Services)

Leave a Reply

Your email address will not be published. Required fields are marked *