low

VPC Hosted Zones unauditable

Published Fri, May 24th, 2019

Platforms

aws

Summary

For 6 years, it was not possible to see what hosted zones an attacker may have created in an account. This issue could be viewed as a business decision that adding the ability to viewing this data was not worthwhile, but the delay is significant and would allow someone that had compromised an environment to maintain a backdoor.

Affected Services

N/A

Remediation

Audit your VPC hosted zones

Tracked CVEs

No tracked CVEs

References

https://twitter.com/__steele/status/1273748905826455552https://blog.ryanjarv.sh/2019/05/24/backdooring-route53-with-cross-account-dns.html

Contributed by https://github.com/RyanJarv

Entry Status

Finalized

Disclosure Date

Mon, May 13th, 2019

Exploitability Period

-

Known ITW Exploitation

-

Detection Methods

None

Piercing Index Rating

-

Discovered by

Ryan Gerstenkorn

More vulnerabilities...

medium

Impersonate GCP Organization Through the Organizations Update Method

gcp

A GCP Organizations name could be changed through the (deprecated) organizations.update method in the Resource Manager, even though the documentation said the "displayName" was read-only. With thi...

Ezequiel Pereira
medium

Azure Cloud Shell terminal escape

azure

If attacker controlled data is viewed in Cloudshell it could have led to code execution. This exact same issue was later discovered in AWS as well.

Felix Wilhelm, Google
low

Resource policy confused deputy issue with services

aws

Resource policies lacked a way of restricting service access to only your own account, allowing an attacker to leverage a service to potentially access your resources. Originally discovered by Dan ...

Dan Peebles, Bridgewater
View all