Security researchers at cloud security firm Orca Security identified a flaw in AWS’s managed ETL service AWS Glue that let them effectively act as AWS Glue itself – with full administrative privileges over the service.
The vulnerability could have been used to access other AWS Glue users’ data and workloads, as well “any AWS account that used Glue even ONCE in the past” Orca Security researcher Tzah Pahima told The Stack.
AWS replicated the exploit (found by Orca Security’s Yanir Tsarimi) and patched it within 24 hours, with a full patch pushed to all regions inside six days. No customer action was required and AWS analysis shows that the vulnerability was never exploited. (It analysed logs going back over 50 months to confirm…)
Follow The Stack on LinkedIn
The report will send a frisson down the spine of everyone fearful of someone with less pleasant intentions gaining permissions to a cloud environment used by a wide range of other enterprise customers however. (Particularly given the fact that the vulnerability was externally reported and not found in-house first.)
The vulnerability was one of two that the LA-headquartered firm publicly reported on January 13. (It identified them in September 2021.) Orca Security thanked the AWS security team “for collaborating with us and working to quickly confirm and resolve this issue” adding that “the process of reporting and having the issue resolved was smooth and we got to meet some of the great people at AWS that help make sure the cloud is secure.”
The other bug, in AWS CloudFormation (an infrastructure-as-code service to model, provision, and manage AWS and third-party resources) was less severe. That let Orca’s team use server-side request forgery (SSRF) to fetch what one AWS distinguished engineer described as “some local host-level creds and configuration.”
Amazon’s response to that issue is here.
AWS Glue vulnerability: Rapidly fixed, but still troubling
Orca Security said on January 13: “By carefully looking at what data could be accessible in the service account, we confirmed that we would be able to access data owned by other AWS Glue customers.”
The company, founded in 2018, added: “We used accounts under our control to test and verify that this issue gave us the ability to access data from our other accounts without affecting any other AWS customers’ data.
As Orca Security’s Tzah Pahima noted to The Stack: “Even if someone used Glue even once, he [sic] was vulnerable (unless he specifically deleted the Glue role in his account)… The AWS Glue vulnerability fully escalates into the AWS Glue service principal credentials” Pahima added in a DM exchange on Twitter.
AWS said that “There is no way that this could have been used to affect customers who do not use the AWS Glue service” in a statement that deserves a second read and which may not reassure Glue users.
Orca Security has promised a full technical write-up within two weeks, after publishing a detail-thin blog that was, however, rapidly confirmed by AWS. Somewhat unusually for Amazon the hyperscaler at 21:00 GMT — on the same day as Orca’s public disclosure — confirmed the vulnerability and thanked the security company.
Orca Security said: “we were able to identify a feature in AWS Glue that could be exploited to obtain credentials to a role within the AWS service’s own account, which provided us full access to the internal service API.” The company added December 13: “In combination with an internal misconfiguration in the Glue internal service API, we were able to further escalate privileges within the account to the point where we had unrestricted access to all resources for the service in the region, including full administrative privileges.”
AWS said: “A security researcher recently reported an issue that allowed them to take actions as the AWS Glue service. Utilizing an AWS Glue feature, researchers obtained credentials specific to the service itself, and an AWS-internal misconfiguration permitted the researchers to use these credentials as the AWS Glue service…”
“No customer action is required. AWS moved immediately to correct this issue when it was reported. Analysis of logs going back to the launch of the service have been conducted and we have conclusively determined that the only activity associated with this issue was between accounts owned by the researcher.”
AWS added: “No other customer’s accounts were impacted. All actions taken by AWS Glue in a customer’s account are logged in CloudTrail records controlled and viewable by customers.”