low

Resource policy confused deputy issue with services

Published Wed, Nov 28th, 2018

Platforms

Summary

Resource policies lacked a way of restricting service access to only your own account, allowing an attacker to leverage a service to potentially access your resources. Originally discovered by Dan Peebles and presented at re:Invent in 2018, this issue did not gain enough attention to be fixed until Shir Tamari and Ami Luttwak from Wiz presented it at Black Hat 2021.

Affected Services

N/A

Remediation

Update existing vulnerable IAM policies by adding scoping condition.

Tracked CVEs

No tracked CVEs

References

https://www.youtube.com/watch?v=F3JmBhTQmyY&t=2475s https://summitroute.com/blog/2019/04/03/advanced_aws_policy_auditing_confused_deputies_with_aws_services/https://www.wiz.io/blog/black-hat-2021-aws-cross-account-vulnerabilities-how-isolated-is-your-cloud-environment

Contributed by https://github.com/a10ns

Disclosure Date

Wed, Nov 28th, 2018

Exploitablity Period

until February 2021

Known ITW Exploitation

Detection Methods

Piercing Index Rating

Discovered by

Dan Peebles, Bridgewater

More vulnerabilities...

medium

Launching EC2s did not require specifying AMI owner

Attackers had put malicious AMIs in the marketplace to abuse the CLI''s way of selecting what AMI to use. Although the concept of planting malicious AMIs had existed for a while (ex. in the 2009 p...

Megan Marsh

Mon, Aug 13th, 2018

low

Subdomain takeover via Azure Traffic Manager

Patrick Hudak demonstrated possible subdomain takeover using the Traffic Manager in Azure.

Patrick Hudak

Fri, Aug 10th, 2018

medium

Bypassable and overly-privileged IAM policies

AWS has previously provided managed policies or guidance in documentation for policies with mistakes that allow them to be bypassed. Additionally, some policies are over-privileged. Date of disclos...

Multiple findings

Tue, Nov 7th, 2017

View all