CloudFormation resource provider credentials leak
Published Tue, Sep 22nd, 2020
Platforms
Summary
CloudFormation allows the use of Lambda-backed resource providers, wherein Lambda can be used to write custom provisioning logic to be executed during CloudFormation stack operations. The aforementioned Lambda functions were executed in an AWS-managed account (thus effectively allowing arbitrary code execution in that account), and were passed a set of credentials ("platformCredentials") for a role in this account that had several EventBridge permissions. These were sufficient for an attacker to create new rules in the AWS-managed account that leaked credentials belonging to other users of resource providers. For example, creating a rule that matched events with {"detail-type": ["AWS API Call via CloudTrail"]} exposed records of other tenants' API calls, which included copies of credentials for roles in other tenants' accounts.
Affected Services
CloudFormation
Remediation
None required
Tracked CVEs
No tracked CVEs
References
Contributed by https://github.com/korniko98
Entry Status
Finalized
Disclosure Date
Tue, Jan 21st, 2020
Exploitability Period
-
Known ITW Exploitation
-
Detection Methods
None
Piercing Index Rating
-
Discovered by
Aidan Steele
