Cybersecurity firm Tenable on Thursday disclosed the details of a one-click vulnerability that could have been exploited to take complete control of user accounts on an AWS service, but AWS says exploitation was not trivial.
The vulnerability, named FlowFixation by Tenable, was patched by AWS several months ago and it can no longer be exploited, but the security company pointed out that its research uncovered a wider problem that may again emerge in the future.
The FlowFixation vulnerability is related to the Apache Airflow open source workflow management platform. The flaw affected AWS’s Managed Workflows Apache Airflow (MWAA) service, which enables users to build, schedule and monitor workflows in a managed Apache Airflow without having to worry about the underlying infrastructure.
Tenable pointed out that Apache Airflow is a very popular tool, with 12 million downloads per month. Twenty percent of the company’s customers use managed services for Airflow.
The FlowFixation vulnerability existed due to a session fixation issue in the MWAA web management panel and an AWS domain misconfiguration that led to cross-site scripting (XSS). As with most XSS flaws, exploitation required the victim to click on a link, which is why Tenable described it as a one-click exploit.
“By abusing the vulnerability, an attacker could have forced victims to use and authenticate the attacker’s known session. This manipulation could have enabled the attacker to later use the same, now-authenticated session to take over the victim’s web management panel,” Tenable explained.
A malicious actor could have exploited the FlowFixation flaw to take over the targeted user’s MWAA web management panel and leverage it to perform tasks such as reading connection strings, adding configurations, and triggering directed acyclic graphs, which could have led to remote code execution on the underlying instance or lateral movement to other services.
Tenable’s research revealed a wider problem with same-site attacks related to shared-parent domains and the Public Suffix List (PSL), which is a list of TLDs with the respective registry’s policies on domain registrations.
Many cloud services offered by the same vendor share a parent domain. For instance, several AWS services use ‘amazonaws.com’.
“This sharing leads to a scenario in which non-related customers host their assets on subdomains of the ‘amazonaws.com’ shared parent domain. The problem is that some assets may also allow client-side code execution as a service,” Tenable explained.
“If we compare it to an on-prem environment, this scenario is like an XSS on a subdomain of a website you do not own. In an on-prem setting you would not normally allow users to run XSS on your subdomain, but in the cloud, allowing this is quite natural,” the security firm added. “For example, when creating an AWS S3 bucket, you can run client-side code by storing an HTML page in your bucket. The code will run in the context of the S3 bucket subdomain you were granted and also in the context of the shared parent domain, ‘amazonaws.com’.”
An analysis showed that shared-parent service domains not only on AWS but also Azure and Google Cloud were misconfigured — ie. the domains were missing from the PSL — and put their customers at risk of attacks. These risks include cookie tossing (this can lead to session fixation abuse and CSRF protection bypass) and same-site cookie protection bypass.
AWS and Microsoft took steps to mitigate the risk in response to Tenable’s report, but Google said it would not implement a fix after determining that it is not severe enough to be tracked as a security issue.
“AWS deployed a fix for these findings in September 2023, so customers running the current version of Amazon Managed Workflows for Apache Airflow (MWAA) are not impacted,” Patrick Neighorn, an AWS spokesperson, told SecurityWeek. “We informed affected customers last year and encouraged them to update their environments through the AWS Console, API, or the AWS Command Line Interface. Before we resolved the matter, taking advantage of the findings was a complex process that would have required social engineering.”
Tenable noted that adding the problematic domains to the PSL prevents exploitation of vulnerabilities like FlowFixation, as well as other types of flaws found in these services.
*headline updated for clarity. added statement from AWS . added clarifications on one-click requirement and Tenable’s explanation for domain misconfiguration
Related: Microsoft Cloud Vulnerability Led to Bing Search Hijacking, Exposure of Office 365 Data
Related: ‘Looney Tunables’ Glibc Vulnerability Exploited in Cloud Attacks
