medium

Signature version 1 (SigV1) is insecure

Published Thu, Dec 18th, 2008

Platforms

aws

Summary

When making authenticated API requests to AWS, the requests must be signed with your AWS access key. The initial signing algorithm, SigV1, was vulnerable to collisions. A person-in-the-middle attack would be able to modify signed requests via specially constructed collisions.

Affected Services

N/A

Remediation

None required, SigV1 is deprecated at this point

Tracked CVEs

No tracked CVEs

References

http://www.daemonology.net/blog/2008-12-18-AWS-signature-version-1-is-insecure.html

Contributed by https://github.com/ramimac

Entry Status

Finalized

Disclosure Date

-

Exploitability Period

until December 18th, 2008

Known ITW Exploitation

-

Detection Methods

None

Piercing Index Rating

-

Discovered by

Colin Percival

More vulnerabilities...

View all