Cybersecurity researchers have shared particulars of a now-patched security vulnerability in Amazon Net Companies (AWS) Managed Workflows for Apache Airflow (MWAA) that could possibly be probably exploited by a malicious actor to hijack victims’ periods and obtain distant code execution on underlying cases.
The vulnerability, now addressed by AWS, has been codenamed FlowFixation by Tenable.
“Upon taking up the sufferer’s account, the attacker might have carried out duties akin to studying connection strings, including configurations and triggering directed acyclic graphs (DAGS),” senior security researcher Liv Matan stated in a technical evaluation.
“Below sure circumstances such actions may end up in RCE on the occasion that underlies the MWAA, and in lateral motion to different providers.”
The basis explanation for the vulnerability, per the cybersecurity agency, is a mix of session fixation on the net administration panel of AWS MWAA and an AWS area misconfiguration that leads to a cross-site scripting (XSS) assault.
Session fixation is an internet assault method that happens when a person is authenticated to a service with out invalidating any current session identifiers. This allows the adversary to pressure (aka fixate) a recognized session identifier on a person in order that, as soon as the person authenticates, the attacker has entry to the authenticated session.
By abusing the shortcoming, a menace actor might have compelled victims to make use of and authenticate the attacker’s recognized session and finally take over the sufferer’s net administration panel.
“FlowFixation highlights a broader difficulty with the present state of cloud suppliers’ area structure and administration because it pertains to the Public Suffix Listing (PSL) and shared-parent domains: same-site assaults,” Matan stated, including the misconfiguration additionally impacts Microsoft Azure and Google Cloud.
Tenable additionally identified that the shared structure – the place a number of clients have the identical mum or dad area – could possibly be a goldmine for attackers trying to exploit vulnerabilities like same-site assaults, cross-origin points, and cookie tossing, successfully resulting in unauthorized entry, knowledge leaks, and code execution.
The shortcoming has been addressed by each AWS and Azure including the misconfigured domains to PSL, thus inflicting net browsers to acknowledge the added domains as a public suffix. Google Cloud, alternatively, has described the problem as not “extreme sufficient” to benefit a repair.
“Within the case of same-site assaults, the security impression of the talked about area structure is important, with heightened danger of such assaults in cloud environments,” Matan defined.
“Amongst these, cookie-tossing assaults and same-site attribute cookie safety bypass are notably regarding as each can circumvent CSRF safety. Cookie-tossing assaults may also abuse session-fixation points.”
