medium

Signature version 1 (SigV1) is insecure

Published Thu, Dec 18th, 2008

Platforms

Summary

When making authenticated API requests to AWS, the requests must be signed with your AWS access key. The initial signing algorithm, SigV1, was vulnerable to collisions. A person-in-the-middle attack would be able to modify signed requests via specially constructed collisions.

Affected Services

N/A

Remediation

None required, SigV1 is deprecated at this point

Tracked CVEs

No tracked CVEs

References

http://www.daemonology.net/blog/2008-12-18-AWS-signature-version-1-is-insecure.html

Contributed by https://github.com/ramimac

Disclosure Date

Exploitablity Period

until December 18th, 2008

Known ITW Exploitation

Detection Methods

Piercing Index Rating

Discovered by

Colin Percival

More vulnerabilities...

critical

AWS Amplify IAM role publicly assumable exposure

The AWS Amplify service was found to be misconfiguring IAM roles associated with Amplify projects. This misconfiguration caused these roles to be assumable by any other AWS account. Both the Ampl...

Nick Frichette, Datadog

Mon, Apr 15th, 2024

high

Azure Site Recovery privilege escalation

When the ASR service is enabled, it uses an Automation Account with a System-Assigned Managed Identity to manage Site Recovery extensions on VMs. However, the Runbook (a set of scripts for managing...

Joshua Murrell, NetSPI

Tue, Feb 13th, 2024

medium

Azure HDInsight privilege escalation and DoS vulnerabilities

Three privilege escalation and denial-of-service vulnerabilities were discovered in Azure HDinsight, related to their usage of Apache Oozie and Ambari. The root cause of at least one of these vulne...

Lidor Ben Shitrit, Orca Sec...

Tue, Feb 6th, 2024

View all