We have revealed critical vulnerabilities affecting Amazon Elastic Container Service (ECS) and Google Cloud Platform. These vulnerabilities may allow bad actors to perform privilege escalations. These results uncover significant dangers when high-privilege tasks are used in parallel with low-privilege tasks. Additionally, they highlight the importance of robust security practices across cloud infrastructures.
As a best practice, experts say, Amazon recommends not executing high-privilege workloads on the same instance as untrusted or low-privilege workloads. So, keeping cloud applications secure is more important than ever. This is even more imperative with services like AWS Fargate, which offer true isolation that may make container breaches more difficult to exploit. The recent vulnerabilities underscore the importance of implementing best practices in cloud security to protect sensitive information from unauthorized access.
Security Recommendations for AWS Users
Amazon Web Services (AWS) has released detailed recommendations on how to reduce the risk of these vulnerabilities. So their best practice recommendations are to disable or limit access to the Instance Metadata Service (IMDS) from cloud-native tasks. Minimizing ECS agent permissions. Limiting ECS agent permissions is another key factor in reducing your attack surface.
By monitoring for unusual usage of Identity and Access Management (IAM) roles, organizations can quickly detect and respond to any suspicious activity. The experts noted that the principle of least privilege should be followed for all service accounts, especially in cloud environments. This intentional practice goes a long way towards reducing unintended vulnerabilities.
“The most effective mitigation strategy to protect your environment from similar threat actor behavior is to ensure that all SAs [Service Account] within your cloud environment adhere to the principle of least privilege and that no legacy cloud SAs are still in use,” – Talos
Additionally, it is just as critical to ensure that cloud services and dependencies within those cloud services are regularly updated to the latest security patches. Lack of diligence with respect to these patches can put systems at risk to being easily exploited.
“Ensure that all cloud services and dependencies are up to date with the latest security patches. If legacy SAs are present, replace them with least-privilege SAs,” – Talos
Implications of ConfusedFunction Vulnerability
With the recent announcement of the ConfusedFunction vulnerability, cybersecurity experts around the world were put on red alert. ConfusedFunction started as a Google Cloud privilege escalation vulnerability. Today, it can be customized to be used with other cloud platforms including AWS and Azure. This flexibility is a potentially fatal feature. It opens the door for attackers to abuse AWS Lambda and Azure Functions to gain unauthorized access to sensitive resources.
Here’s how the bug that researchers found in Google Cloud Composer worked. This defect introduced privilege escalation due to a misconfiguration with the “gcbrunaddPatchSet” permission. This flaw uncovers a more grave danger. It, along with another misconfiguration recently exposed critical Internet Exchange infrastructure, highlights how attackers can leverage misconfigured cloud services.
Attackers could use Google’s cloud infrastructure against the company. Without proper protections, this would enable them to snoop on internal Local Area Networks (LANs) at Internet Exchange Points (IXPs). This represents a dangerous blow to data integrity, confidentiality and even educational opportunities.
Vulnerability in Voting Systems
Cloud platforms have exposed a number of vulnerabilities. It was discovered that there was a race condition present in the voting system’s bot, involving bug submission timings in the code merge process. This vulnerability, coupled with dangers in managing labels, sheds light on the safety of our voting mechanisms in digital spaces.
We spoke with Haziz, a researcher in cloud security, to learn more about the systemic problems that lead to such vulnerabilities. He noted that:
“The core lesson is that you should treat each container as potentially compromiseable and rigorously constrain its blast radius.”
He highlighted the risks by design when many different tasks with different privilege levels are built on top of a single host. Haziz explained that:
“AWS’s convenient abstractions (task roles, metadata service, etc.) make life easier for developers, but when multiple tasks with different privilege levels share an underlying host, their security is only as strong as the mechanisms isolating them – mechanisms which can have subtle weaknesses.”
Haziz further elaborated on how ECScape exploits these weaknesses by stating:
“By impersonating the agent’s upstream connection, ECScape completely collapses that trust model: one compromised container can passively collect every other task’s IAM role credentials on the same EC2 instance and immediately act with those privileges.”
He clarified how attackers can mimic legitimate behavior through their malicious sessions:
“Our malicious session mimics the agent’s expected behavior – acknowledging messages, incrementing sequence numbers, sending heartbeats – so nothing seems amiss.”