medium
AWS IAM role credential exfiltration via EC2 Instance Metadata Service (IMDSv1)
Published Sun, Aug 4th, 2019
Platforms
Summary
AWS offers a metadata service accessible to most EC2 Instances via a simple GET request to 169.254.169.254. If an instance has an SSRF vulnerability, attackers can access the metadata service & exfiltrate the credentials of an attached IAM role to gain privileged access to the relevant AWS environment.
Affected Services
EC2
Remediation
Enforce the use of IMDSv2 on the instance. This will require use of a POST request to generate an access token, which mitigates against most SSRF vulnerabilities
Tracked CVEs
No tracked CVEs
References
https://blog.appsecco.com/an-ssrf-privileged-aws-keys-and-the-capital-one-breach-4c3c2cded3afhttps://aws.amazon.com/blogs/security/defense-in-depth-open-firewalls-reverse-proxies-ssrf-vulnerabilities-ec2-instance-metadata-service/https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-options.html
Contributed by https://github.com/blakedunson
Entry Status
Finalized
Disclosure Date
Sun, Aug 4th, 2019
Exploitability Period
ongoing
Known ITW Exploitation
-
Detection Methods
None
Piercing Index Rating
-
Discovered by
-
