low

VPC Hosted Zones unauditable

Published Fri, May 24th, 2019
Platforms

Summary

For 6 years, it was not possible to see what hosted zones an attacker may have created in an account. This issue could be viewed as a business decision that adding the ability to viewing this data was not worthwhile, but the delay is significant and would allow someone that had compromised an environment to maintain a backdoor.

Affected Services

N/A

Remediation

Audit your VPC hosted zones

Tracked CVEs

No tracked CVEs

References

Disclosure Date
Mon, May 13th, 2019
Exploitablity Period
-
Known ITW Exploitation
-
Detection Methods
-
Discovered by
Ryan Gerstenkorn, null