low

Partial CloudTrail logging in AWS Control Tower

Published Mon, Mar 20th, 2023

Platforms

Summary

AWS Control Tower was not properly logging to CloudTrail when API calls failed due to a lack of permissions. This could have helped an adversary with existing access to a victim AWS environment avoid detection while enumerating privileges, since any unsuccessful API calls would not generate "access denied" log entries.

Affected Services

Control Tower

Remediation

None required

Tracked CVEs

No tracked CVEs

References

https://securitylabs.datadoghq.com/articles/bypass-cloudtrail-aws-service-catalog-and-other/

Contributed by https://github.com/frichetten

Entry Status

Finalized

Disclosure Date

Mon, Jan 30th, 2023

Exploitability Period

Until 2023/02/13

Known ITW Exploitation

Detection Methods

None

Piercing Index Rating

Discovered by

Nick Frichette, Datadog

More vulnerabilities...

medium

CloudTrail bypass for AWS Service Catalog

Due to an exposed development endpoint, it was possible to bypass CloudTrail logging for both read and write API actions for the Service Catalog service. This could have enabled adversaries to alte...

Nick Frichette, DatadogMar 19, 2023

medium

Super FabriXss

Azure Service Fabric Explorer (SFX) was affected by an XSS vulnerability that could have allowed a malicious script to be reflected off a web application. After a potential victim clicked on a craf...

Lidor Ben Shitrit, Orca Sec...Mar 14, 2023

medium

Imposter commits vulnerability in GitHub Actions

A vulnerability in GitHub Actions allows bypassing workflow settings using commits from forked repositories (rather than commits of the main action repo). This "imposter commits" issue can potentia...

Billy Lynch, ChainguardMar 8, 2023

View all