medium

Signature version 1 (SigV1) is insecure

Published Thu, Dec 18th, 2008

Platforms

Summary

When making authenticated API requests to AWS, the requests must be signed with your AWS access key. The initial signing algorithm, SigV1, was vulnerable to collisions. A person-in-the-middle attack would be able to modify signed requests via specially constructed collisions.

Affected Services

N/A

Remediation

None required, SigV1 is deprecated at this point

Tracked CVEs

No tracked CVEs

References

http://www.daemonology.net/blog/2008-12-18-AWS-signature-version-1-is-insecure.html

Contributed by https://github.com/ramimac

Entry Status

Finalized

Disclosure Date

Exploitablity Period

until December 18th, 2008

Known ITW Exploitation

Detection Methods

Piercing Index Rating

Discovered by

Colin Percival

More vulnerabilities...

View all