low

AWS RDS does not enforce SSL/TLS encryption

Published Thu, Mar 10th, 2022

Platforms

aws

Summary

The AWS RDS service does not enable secure transport layer security by default, allowing clients to connect insecurely. Additionally, for the more commonly used MySQL and MariaDB RDS engine types, this setting cannot be enabled at all.

Affected Services

RDS

Remediation

For databases other than MySQL and MariaDB, modify the require_secure_transport or rds.force_ssl values of the attached DB cluster parameter group. For MySQL and MariaDB there is no known workaround, other than ensuring clients connect to these database types only within the VPC. In general, ensure that RDS database instances without SSL/TLS enabled are not exposed over public networks.

Tracked CVEs

No tracked CVEs

References

https://kloudle.com/blog/aws-rds-does-not-force-clients-to-connect-using-a-secure-transport-layerhttps://kloudle.com/academy/fixing-the-default-insecure-network-connection-option-for-rds-instances

Contributed by https://github.com/riyazwalikar

Entry Status

Finalized

Disclosure Date

Sun, Dec 26th, 2021

Exploitability Period

Ongoing

Known ITW Exploitation

-

Detection Methods

None

Piercing Index Rating

-

Discovered by

Riyaz Walikar, Kloudle

More vulnerabilities...

medium

Logic Apps privilege escalation to root

azure

Azure Logic Apps use API Connections to authenticate actions to services. Having Contributor access to an Azure Resource Manager (ARM) API Connection would allow someone to create arbitrary role as...

Josh Magri, NetSPI
medium

Autopilot node compromise via allowlisted workload masquerade

gcp

Unit 42 researchers disclosed several vulnerabilities and attack techniques in GKE Autopilot to Google, the root cause being insufficient verification of allowlisted workload image names. An attac...

Yuval Avrahami, Palo Alto
critical

AutoWarp

azure

An exposed endpoint in the Azure Automation Service allowed to steal Azure API credentials from other customers

Yanir Tsarimi, Orca Security
View all