Summary
A vulnerability in AWS CloudWatch dashboard sharing allowed viewers to access EC2 instance tags and potentially invoke Lambda functions in the source account. The issue stemmed from a logic bug in the AWS Console combined with a "fail open" condition in Amazon Cognito. AWS has since patched the vulnerability.
Affected Services
CloudWatch, Cognito, EC2, Lambda
Remediation
Review and limit use of shared dashboards. Restrict IAM permissions for dashboard sharing. Scope additional IAM permissions narrowly when using custom dashboard features.
Tracked CVEs
No tracked CVEs
References
Contributed by https://github.com/korniko98
Entry Status
Stub (AI-Generated)
Disclosure Date
Fri, Jul 26th, 2024
Exploitablity Period
Until 2024/08/28
Known ITW Exploitation
-
Detection Methods
Monitor for unexpected EC2:DescribeTags API calls. Review Cognito Identity Pool configurations, especially the AllowClassicFlow setting.
Piercing Index Rating
-
Discovered by
Leonidas Tsaousis, WithSecure
