medium

AWS CloudTrail bypass for specific IAM actions

Published Tue, Jan 17th, 2023

Platforms

Summary

Through an undocumented API service called 'iamadmin', attackers could invoke any of 13 read-only IAM actions without the activity being being logged to CloudTrail. These actions included listing group policies (iam:ListGroupPolicies), listing access keys (iam:ListAccessKeys), retrieving information about a role (iam:GetRole), and more. This could have enabled adversaries to perform enumeration and reconnaissance activity undetected after gaining a foothold in a victim AWS environment.

Affected Services

IAM

Remediation

None required

Tracked CVEs

No tracked CVEs

References

https://securitylabs.datadoghq.com/articles/iamadmin-cloudtrail-bypass/

Contributed by https://github.com/frichetten

Disclosure Date

Thu, Mar 10th, 2022

Exploitablity Period

Until 2022/10/24

Known ITW Exploitation

Detection Methods

Piercing Index Rating

Discovered by

Nick Frichette, Datadog

More vulnerabilities...

high

SSH key injection in Google Cloud Compute Engine

Google Cloud Compute Engine (GCE) was vulnerable to SSH key injection by abusing an SSH-in-browser feature to change username and password. An attacker could send a specially-crafted link to a targ...

Sivanesh Ashok

Thu, Jan 12th, 2023

medium

ACSESSED

Azure Cognitive Search (ACS) is a full-text search engine service. A new non-default feature allowed for a network control to bypassed, permitting an attacker to submit search queries to any other ...

Emilien Socchi, mnemonic

Thu, Dec 22nd, 2022

medium

Azure Serverless Functions escape to host

In Azure Serverless Functions, a new container is generated by the host for every function, which is then terminated and deleted after several minutes. Palo Alto discovered that an API call was ava...

Aviv Sasson, Daniel Prizman...

Thu, Dec 15th, 2022

View all