medium

3rd party vendor confused deputy via AssumeRole

Published Wed, Nov 16th, 2016

Platforms

Summary

3rd party vendors can (and sometimes do) incorrectly implement sts:ExternalId in their AWS role trust policies, leading to confused deputy issues. These misconfigurations could allow customers to access other customers' data. Although vendors are responsible for ensuring their own configurations are correct, AWS could theoretically add mitigations to prevent and detect this issue.

Affected Services

N/A

Remediation

Audit your vendor roles.

Tracked CVEs

No tracked CVEs

References

https://www.youtube.com/watch?v=8ZXRw4Ry3mQ https://www.praetorian.com/blog/aws-iam-assume-role-vulnerabilities/

Contributed by https://github.com/0xdabbad00

Disclosure Date

Wed, Nov 16th, 2016

Exploitablity Period

ongoing

Known ITW Exploitation

Detection Methods

Piercing Index Rating

Discovered by

Daniel Grzelak, Atlassian

More vulnerabilities...

low

AWS published official AMIs with recoverable deleted files

Researchers, while investigating the security posture of Public AMIs, were able to undelete files from an official image that was published by Amazon AWS.

Marco Balduzzi, Jonas Zadda...

Sat, Jun 4th, 2011

medium

Signature version 1 (SigV1) is insecure

When making authenticated API requests to AWS, the requests must be signed with your AWS access key. The initial signing algorithm, SigV1, was vulnerable to collisions. A person-in-the-middle attac...

Colin Percival

Thu, Dec 18th, 2008

critical

AWS Amplify IAM role publicly assumable exposure

The AWS Amplify service was found to be misconfiguring IAM roles associated with Amplify projects. This misconfiguration caused these roles to be assumable by any other AWS account. Both the Ampl...

Nick Frichette, Datadog

Mon, Apr 15th, 2024

View all