low

VPC Hosted Zones unauditable

Published Fri, May 24th, 2019

Platforms

Summary

For 6 years, it was not possible to see what hosted zones an attacker may have created in an account. This issue could be viewed as a business decision that adding the ability to viewing this data was not worthwhile, but the delay is significant and would allow someone that had compromised an environment to maintain a backdoor.

Affected Services

N/A

Remediation

Audit your VPC hosted zones

Tracked CVEs

No tracked CVEs

References

https://twitter.com/__steele/status/1273748905826455552 https://blog.ryanjarv.sh/2019/05/24/backdooring-route53-with-cross-account-dns.html

Contributed by https://github.com/RyanJarv

Disclosure Date

Mon, May 13th, 2019

Exploitablity Period

Known ITW Exploitation

Detection Methods

Piercing Index Rating

Discovered by

Ryan Gerstenkorn

More vulnerabilities...

medium

Azure Cloud Shell terminal escape

If attacker controlled data is viewed in Cloudshell it could have led to code execution. This exact same issue was later discovered in AWS as well.

Felix Wilhelm, Google

Wed, Jan 9th, 2019

low

Resource policy confused deputy issue with services

Resource policies lacked a way of restricting service access to only your own account, allowing an attacker to leverage a service to potentially access your resources. Originally discovered by Dan ...

Dan Peebles, Bridgewater

Wed, Nov 28th, 2018

medium

Launching EC2s did not require specifying AMI owner

Attackers had put malicious AMIs in the marketplace to abuse the CLI''s way of selecting what AMI to use. Although the concept of planting malicious AMIs had existed for a while (ex. in the 2009 p...

Megan Marsh

Mon, Aug 13th, 2018

View all