AWS fixes 'confused deputy' vulnerability in AppSync
Datadog security researchers found the flaw before miscreants did
Amazon Web Services (AWS) fixed a cross-tenant flaw in AWS AppSync that could allow miscreants to abuse that cloud service to assume identity and access management roles in other AWS accounts, and then gain access to and control over those resources.
Security researchers at Datadog identified the bug and reported it to AWS on September 1. Five days later the tech giant pushed a fix to the AppSync service, which Datadog confirmed solved the problem.
No customers were affected by the vulnerability and no customer action is required, according to AWS.
In a statement posted on Monday, the cloud services provider thanked Datadog for reporting the "case-sensitivity parsing issue" in AppSync.
"AWS moved immediately to correct this issue when it was reported," it read. "Analysis of logs going back to the launch of the service have been conducted and we have conclusively determined that the only activity associated with this issue was between accounts owned by the researcher. No other customer accounts were impacted."
AWS AppSync provides a GraphQL interface for application developers to combine data from Amazon DynamoDB, AWS Lambda, and external APIs like Datadog. In addition to predefined data sources, developers can create integrations to allow AppSync to directly call APIs by creating a role that gives AppSync the required identity and access management (IAM) permissions.
Because Datadog integrates with AppSync, the company's security researchers wanted to see if they could "trick" the AWS service into assuming a role and then accessing and controlling resources from other data sources.
- Amazon squashes years-old authentication bugs in AWS Kubernetes service
- Microsoft's attempts to harden Kerberos authentication broke it on Windows Servers
- VMware warns of three critical holes in remote-control tool
- Serendipitous discovery nets security researcher $70k bounty
In a proof of concept, they described it as a "confused deputy problem," where an attacker convinces a service with higher-level privileges — AppSync, in this case — to perform an action for the attacker.
To do this, the researchers found a way to bypass the Amazon Resource Name (ARN) validation via a mixed-case JSON payload. Instead of a request using the normal "serviceRoleArn" case, they modified the request using an all lowercase "servicerolearn."
After bypassing the ARN validation, an attacker could "cross account boundaries and execute AWS API calls in victim accounts via IAM roles that trusted the AppSync service," they wrote. "By using this method, attackers could breach organizations that used AppSync and gain access to resources associated with those roles."
Ultimately, this would give the attacker complete control over the victim's resources, the researchers added: "This would allow the attacker to interact with this data source as if they owned it." ®