Vulnerability Allowed One-Click Takeover of AWS Service Accounts

Vulnerability Allowed One-Click Takeover of AWS Service Accounts

March 21, 2024 at 09:45AM

Cybersecurity company Tenable disclosed a one-click vulnerability on AWS service allowing complete user account takeover. Named FlowFixation, it affected the Managed Workflows Apache Airflow service. The flaw, now patched, enabled session manipulation for web management panel takeover and potential remote code execution. Tenable’s wider findings on misconfigured shared-parent domains prompted actions from AWS and Microsoft.

The meeting notes detail Tenable’s disclosure of a vulnerability named FlowFixation, which allowed complete control of user accounts on AWS’s Managed Workflows Apache Airflow (MWAA) service. The vulnerability was a result of a session fixation issue in the MWAA web management panel and a cross-site scripting issue due to an AWS domain misconfiguration. Exploiting this vulnerability could lead to unauthorized access and potential remote code execution.

Tenable also highlighted a broader issue related to shared-parent domains in cloud services provided by vendors like AWS, Azure, and Google Cloud. This issue, related to the Public Suffix List (PSL), could lead to risks such as session fixation abuse and bypassing CSRF protection.

While AWS and Microsoft took steps to mitigate the risks following Tenable’s report, Google decided not to implement a fix, deeming the issue not severe enough to be tracked as a security concern.

Tenable emphasized the importance of adding misconfigured domains to the PSL to prevent exploitation of vulnerabilities like FlowFixation and other flaws found in these services.

Additionally, the meeting notes mentioned related vulnerabilities and incidents, including a Microsoft Cloud vulnerability leading to Bing search hijacking and exposure of Office 365 data, as well as the exploitation of the ‘Looney Tunables’ Glibc vulnerability in cloud attacks.

Full Article