Lake Formation data lake admin override
Published Thu, Aug 15th, 2019
Platforms
Summary
Shortly after Lake Formation was made generally available, a bug was discovered that gave anyone the ability to view and override data lake admins for any account (an attacker would have only needed to know the target account number in advance). The root cause was in the Catalog ID, which references the Glue metadata store that Lake Formation uses to store its configuration - none of the methods that used this field actually checked for permissions on the account it was accessing, only the source account. Moreover, CloudTrail was only writing the log to the source account, so anyone auditing the destination account would not have been able to observe any suspicious activity. Following disclosure, AWS fixed the bug.
Affected Services
Lake Formation
Remediation
None required
Tracked CVEs
No tracked CVEs
References
Contributed by https://github.com/korniko98
Entry Status
Finalized
Disclosure Date
Thu, Aug 15th, 2019
Exploitability Period
-
Known ITW Exploitation
-
Detection Methods
None
Piercing Index Rating
-
Discovered by
Ian Mckay