Critical AWS flaw exposes thousands of web apps to attack
What's the story
A recently discovered vulnerability in Amazon Web Services's (AWS) Application Load Balancer, a traffic-routing service, could potentially expose thousands of web applications to security risks.
The flaw is not due to a software bug but rather an issue with customer implementation.
This means that the risk arises from how AWS users configure authentication with the Application Load Balancer, as revealed by cybersecurity firm Miggo.
Exploitation process
How the vulnerability works
The vulnerability could allow an attacker to manipulate the handoff of the Application Load Balancer to a third-party corporate authentication service, thereby gaining unauthorized access to web applications and potentially viewing or extracting data.
To exploit this flaw, an attacker would need to create an AWS account and an Application Load Balancer.
They would then sign their own authentication token before making configuration changes that make it appear as if their target's authentication service issued the token.
Impact assessment
Over 15,000 web apps potentially at risk
Miggo's research indicates that over 15,000 publicly accessible web applications may have vulnerable configurations due to this flaw.
However, AWS disputes these figures, stating that "a small fraction of a percent of AWS customers have applications potentially misconfigured in this way," which is significantly less than Miggo's estimate.
The exact number remains uncertain as AWS does not have access or visibility into its clients' cloud environments.
Mitigation measures
AWS's response and recommendations
In response to the vulnerability disclosure, AWS has contacted customers on to suggest a more secure implementation.
The company does not view token forging as a vulnerability in Application Load Balancer, but rather an expected outcome of choosing to configure authentication in a particular way.
However, after Miggo disclosed their findings, AWS made two documentation changes aimed at updating their implementation recommendations for Application Load Balancer authentication.
Security updates
AWS's updated guidance for secure implementation
The first update from AWS, dated May 1, included guidance to add validation before Application Load Balancer will sign tokens.
On July 19, the company also added an explicit recommendation that users set their systems to receive traffic from only their own Application Load Balancer using a feature called "security groups."
These changes effectively address the attack path proposed by Miggo researchers but require AWS users with vulnerable configurations to implement them.
User responsibility
AWS's shared responsibility model
The fixes proposed by AWS are not like a software patch that a developer can push out to all users.
Instead, they involve changing how AWS customers have set up their own systems.
This falls under the Shared Responsibility Model, where such situations often sit in the gray area between what a cloud platform provider should address for its customers and what users need to manage themselves.