medium

AWS Console rate limit bypass

Published Mon, Feb 6th, 2023
Platforms

Summary

AWS applies a rate limit to authentication requests made to the AWS Console in an effort to prevent brute-force and credential stuffing attacks. However, a weakness was discovered in the AWS Console authentication flow that allowed a partial bypass of this rate limit by pausing for 5 seconds every 30 attempts. This would enable an attacker to continuously attempt more than 280 passwords per minute (4.6 per second) against IAM users, which could have resulted in account compromise of users without MFA enabled.

Affected Services

AWS Console

Remediation

None required

Tracked CVEs

No tracked CVEs

References

Disclosure Date
Wed, Dec 7th, 2022
Exploitablity Period
Until January 26th, 2023
Known ITW Exploitation
-
Detection Methods
Detect potential brute-force behavior using the CloudTrail ConsoleLogin event.
Piercing Index Rating
-
Discovered by
Christophe Tafani-Dereeper, Datadog