low

Data exfil via VPC endpoint denials in CloudTrail

Published Tue, Oct 15th, 2024

Platforms

Summary

CloudTrail delivered events to the resource owner and API caller even when the API action was denied by the VPC endpoint policy. This could have enabled a stealthy data exfiltration method in cases where an attacker had previously compromised a VPC, by smuggling data through the user agent field in denied requests.

Affected Services

VPC Endpoints

Remediation

None required

Tracked CVEs

No tracked CVEs

References

https://tracebit.com/blog/breaching-the-data-perimeter-cloudtrail-as-a-mechanism-for-data-exfiltration

Contributed by https://github.com/korniko98

Entry Status

Finalized

Disclosure Date

Tue, Jun 4th, 2024

Exploitability Period

Known ITW Exploitation

Detection Methods

None

Piercing Index Rating

Discovered by

Sam Cox, Tracebit

More vulnerabilities...

high

CloudShell Vulnerability Grants Unintended AWS Access

A vulnerability in AWS CloudShell allowed users to gain unintended command-line access to the underlying AWS infrastructure. During a training session, a delegate unexpectedly received the identity...

Paul SchwarzenbergerOct 15, 2024

low

Subdomain Takeover Vulnerability in GitLab Pages

A vulnerability in GitLab Pages allowed attackers to take over dangling custom domains pointing to 'instanceX.gitlab.io'. The issue occured when adding an unverified custom domain to GitLab Pages, ...

Philippe DelteilOct 9, 2024

high

Google Cloud Data Fusion GitHub Actions Vulnerabilities

Multiple "pwn request" vulnerabilities were discovered in Google Cloud Data Fusion, which is based on open-source CDAP code. These vulnerabilities affect GitHub Actions and allow for remote code ex...

Google Bug HuntersSep 26, 2024

View all