Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cloud Security

Vulnerability Allowed Takeover of AWS Apache Airflow Service

AWS patches vulnerability that could have been used to hijack Managed Workflows Apache Airflow (MWAA) sessions via FlowFixation attack. 

Cloud vulnerability

Cybersecurity firm Tenable on Thursday disclosed the details of a one-click vulnerability that could have been exploited to take complete control of user accounts on an AWS service, but AWS says exploitation was not trivial. 

The vulnerability, named FlowFixation by Tenable, was patched by AWS several months ago and it can no longer be exploited, but the security company pointed out that its research uncovered a wider problem that may again emerge in the future.

The FlowFixation vulnerability is related to the Apache Airflow open source workflow management platform. The flaw affected AWS’s Managed Workflows Apache Airflow (MWAA) service, which enables users to build, schedule and monitor workflows in a managed Apache Airflow without having to worry about the underlying infrastructure.

Tenable pointed out that Apache Airflow is a very popular tool, with 12 million downloads per month. Twenty percent of the company’s customers use managed services for Airflow. 

The FlowFixation vulnerability existed due to a session fixation issue in the MWAA web management panel and an AWS domain misconfiguration that led to cross-site scripting (XSS). As with most XSS flaws, exploitation required the victim to click on a link, which is why Tenable described it as a one-click exploit.

“By abusing the vulnerability, an attacker could have forced victims to use and authenticate the attacker’s known session. This manipulation could have enabled the attacker to later use the same, now-authenticated session to take over the victim’s web management panel,” Tenable explained. 

A malicious actor could have exploited the FlowFixation flaw to take over the targeted user’s MWAA web management panel and leverage it to perform tasks such as reading connection strings, adding configurations, and triggering directed acyclic graphs, which could have led to remote code execution on the underlying instance or lateral movement to other services. 

Tenable’s research revealed a wider problem with same-site attacks related to shared-parent domains and the Public Suffix List (PSL), which is a list of TLDs with the respective registry’s policies on domain registrations.

Advertisement. Scroll to continue reading.

Many cloud services offered by the same vendor share a parent domain. For instance, several AWS services use ‘amazonaws.com’.

“This sharing leads to a scenario in which non-related customers host their assets on subdomains of the ‘amazonaws.com’ shared parent domain. The problem is that some assets may also allow client-side code execution as a service,” Tenable explained.

“If we compare it to an on-prem environment, this scenario is like an XSS on a subdomain of a website you do not own. In an on-prem setting you would not normally allow users to run XSS on your subdomain, but in the cloud, allowing this is quite natural,” the security firm added. “For example, when creating an AWS S3 bucket, you can run client-side code by storing an HTML page in your bucket. The code will run in the context of the S3 bucket subdomain you were granted and also in the context of the shared parent domain, ‘amazonaws.com’.”

An analysis showed that shared-parent service domains not only on AWS but also Azure and Google Cloud were misconfigured — ie. the domains were missing from the PSL — and put their customers at risk of attacks. These risks include cookie tossing (this can lead to session fixation abuse and CSRF protection bypass) and same-site cookie protection bypass. 

AWS and Microsoft took steps to mitigate the risk in response to Tenable’s report, but Google said it would not implement a fix after determining that it is not severe enough to be tracked as a security issue.

“AWS deployed a fix for these findings in September 2023, so customers running the current version of Amazon Managed Workflows for Apache Airflow (MWAA) are not impacted,” Patrick Neighorn, an AWS spokesperson, told SecurityWeek. “We informed affected customers last year and encouraged them to update their environments through the AWS Console, API, or the AWS Command Line Interface. Before we resolved the matter, taking advantage of the findings was a complex process that would have required social engineering.”

Tenable noted that adding the problematic domains to the PSL prevents exploitation of vulnerabilities like FlowFixation, as well as other types of flaws found in these services. 

*headline updated for clarity. added statement from AWS . added clarifications on one-click requirement and Tenable’s explanation for domain misconfiguration

Related: Microsoft Cloud Vulnerability Led to Bing Search Hijacking, Exposure of Office 365 Data

Related: ‘Looney Tunables’ Glibc Vulnerability Exploited in Cloud Attacks 

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

People on the Move

Shay Mowlem has been named CMO of runtime and application security company Contrast Security.

Attack detection firm Vectra AI has appointed Jeff Reed to the newly created role of Chief Product Officer.

Shaun Khalfan has joined payments giant PayPal as SVP, CISO.

More People On The Move

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Conversations

SecurityWeek talks to Billy Spears, CISO at Teradata (a multi-cloud analytics provider), and Lea Kissner, CISO at cloud security firm Lacework.

Cloud Security

Cloud security researcher warns that stolen Microsoft signing key was more powerful and not limited to Outlook.com and Exchange Online.

CISO Strategy

Okta is blaming the recent hack of its support system on an employee who logged into a personal Google account on a company-managed laptop.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

Cloud Security

VMware described the bug as an out-of-bounds write issue in its implementation of the DCE/RPC protocol. CVSS severity score of 9.8/10.