medium

3rd party vendor confused deputy via AssumeRole

Published Wed, Nov 16th, 2016
Platforms

Summary

3rd party vendors can (and sometimes do) incorrectly implement sts:ExternalId in their AWS role trust policies, leading to confused deputy issues. These misconfigurations could allow customers to access other customers' data. Although vendors are responsible for ensuring their own configurations are correct, AWS could theoretically add mitigations to prevent and detect this issue.

Affected Services

N/A

Remediation

Audit your vendor roles.

Tracked CVEs

No tracked CVEs

References

Disclosure Date
Wed, Nov 16th, 2016
Exploitablity Period
ongoing
Known ITW Exploitation
-
Detection Methods
-
Discovered by
Daniel Grzelak, Atlassian