low

Data exfil via VPC endpoint denials in CloudTrail

Published Tue, Oct 15th, 2024
Platforms

Summary

CloudTrail delivered events to the resource owner and API caller even when the API action was denied by the VPC endpoint policy. This could have enabled a stealthy data exfiltration method in cases where an attacker had previously compromised a VPC, by smuggling data through the user agent field in denied requests.

Affected Services

VPC Endpoints

Remediation

None required

Tracked CVEs

No tracked CVEs

References

Entry Status
Finalized
Disclosure Date
Tue, Jun 4th, 2024
Exploitablity Period
-
Known ITW Exploitation
-
Detection Methods
-
Piercing Index Rating
-
Discovered by
Sam Cox, Tracebit