low

GuardDuty detection bypass via cloudtrail

Published Thu, Apr 23rd, 2020

Platforms

Summary

GuardDuty detected CloudTrail being outright disabled, but did not detect if an attacker with the necessary permissions filtered out all events from CloudTrail via PutEventSelectors, resulting in defenders having no logs to review. AWS fixed this issue by adding a GuardDuty detection that triggers if PutEventSelectors is used to disable all event types.

Affected Services

GuardDuty

Remediation

As a safety measure, set up additional detections independent of GuardDuty.

Tracked CVEs

No tracked CVEs

References

https://github.com/RhinoSecurityLabs/Cloud-Security-Research/tree/master/AWS/cloudtrail_guardduty_bypass https://twitter.com/0xdabbad00/status/1258909131605307393

Contributed by https://github.com/0xdabbad00

Entry Status

Finalized

Disclosure Date

Thu, Apr 23rd, 2020

Exploitability Period

Known ITW Exploitation

Detection Methods

None

Piercing Index Rating

Discovered by

Spencer Gietzen, Rhino Security

More vulnerabilities...

low

GCP Cloudshell Cross-Site WebSocket Hijacking (CSWSH)

Google Cloudshell leveraged websockets without validating that the origin matched the current instance host. An attacker could therefore host a CSWSH attack on a Cloudshell instance they own, disab...

PsiMar 11, 2020

high

Google wide domain check bypass

A vulnerability in Google's common JavaScript library allowed bypassing domain validation checks across multiple Google products. By using a backslash character in URLs, an attacker could make the ...

David SchützMar 8, 2020

critical

Azure App Service RCE

A Vulnerability in App Service could allow an unprivileged function run by the user to execute code in the context of NT AUTHORITY\system, thereby escaping the sandbox. This vulnerability allowed ...

Ronen Shustin, Check PointJan 30, 2020

View all