medium

AWS Directory Service not checking iam:PassRole on EnableRoleAccess

Published Wed, Jun 7th, 2023

Platforms

Summary

AWS Directory Service didn't check the iam:PassRole permissions when using the EnableRoleAccess action. This could have been used for privilege escalation by an authenticated user with sufficient permissions (ds:EnableRoleAccess), if the role had a trust policy that allowed use by Directory Service.

Affected Services

Directory Service

Remediation

None required

Tracked CVEs

No tracked CVEs

References

https://cloudar.be/awsblog/spotted-privilege-escalation-in-aws-directory-service/https://aws.amazon.com/security/security-bulletins/AWS-2023-003/

Contributed by https://github.com/benbridts

Disclosure Date

Fri, Apr 7th, 2023

Exploitablity Period

Until 2023-04-24

Known ITW Exploitation

Detection Methods

Roles trusting Directory Service being assumed by unexpected users.

Piercing Index Rating

5.29

(PI:1.5/A3:1/A4:1/A5:1/A6:6/A7:1.1)

Discovered by

Ben Bridts, Cloudar

More vulnerabilities...

medium

Privilege escalation in GCP Cloud SQL

A vulnerability was discovered in Cloud SQL for SQL Server that allowed customer administrator accounts to create triggers in the tempdb database and use those to gain sysadmin privileges in the i...

Fri, Jun 2nd, 2023

high

Cloud SQL for SQL Server privilege escalation

A vulnerability discovered in GCP's Cloud SQL service allowed customer administrator accounts to create triggers in the tempdb database and use those to gain sysadmin privileges in the instance. Th...

Dig

Wed, May 24th, 2023

high

API Management SSRF and path traversal vulnerabilities

Azure API Management is an API gateway service meant to help organizations to create, manage, secure, and monitor APIs across all of their environments. Researchers found three high severity vulner...

Liv Matan, Ermetic

Thu, May 4th, 2023

View all