medium

AWS Directory Service not checking PassRole on EnableRoleAccess

Published Wed, Jun 7th, 2023

Platforms

Summary

AWS Directory Service didn't check the iam:PassRole permissions when using the EnableRoleAccess action. This could have been used for privilege escalation by an authenticated user with sufficient permissions (ds:EnableRoleAccess), if the role had a trust policy that allowed use by Directory Service.

Affected Services

Directory Service

Remediation

None required

Tracked CVEs

No tracked CVEs

References

https://cloudar.be/awsblog/spotted-privilege-escalation-in-aws-directory-service/https://aws.amazon.com/security/security-bulletins/AWS-2023-003/

Contributed by https://github.com/benbridts

Entry Status

Finalized

Disclosure Date

Fri, Apr 7th, 2023

Exploitability Period

Until 2023-04-24

Known ITW Exploitation

Detection Methods

Roles trusting Directory Service being assumed by unexpected users.

Piercing Index Rating

5.29

(PI:1.5/A3:1/A4:1/A5:1/A6:6/A7:1.1)

Discovered by

Ben Bridts, Cloudar

More vulnerabilities...

medium

Privilege escalation in GCP Cloud SQL

A vulnerability was discovered in Cloud SQL for SQL Server that allowed customer administrator accounts to create triggers in the tempdb database and use those to gain sysadmin privileges in the i...

Jun 2, 2023

high

Cloud SQL for SQL Server privilege escalation

A vulnerability discovered in GCP's Cloud SQL service allowed customer administrator accounts to create triggers in the tempdb database and use those to gain sysadmin privileges in the instance. Th...

DigMay 24, 2023

low

GuardDuty bypass via S3 permission modification

Threat actors in possession of IAM active credentials that had the power to update S3 bucket policies could have bypassed GuardDuty’s S3 detections and silently updated permissions for S3 resources...

Gem SecurityMay 18, 2023

View all