AWS Glue security flaw that allowed attackers to access and manipulate data related to other AWS customer accounts has been fixed by Amazon Web Services (AWS). AWS Glue is a serverless cloud data integration tool that helps discover, prepare, and combine data for analytics, app development, and machine learning.
Security researchers at Orca Security were able to escalate privileges and access all service resources in the region, thanks to an exploited AWS Glue feature and an internal service API misconfiguration.
“During our research, we were able to identify a feature in AWS Glue that could be exploited to obtain credentials to a role within the AWS service’s own account, which provided us full access to the internal service API,” clarified Yanir Tsarimi, a Cloud Security Researcher at Orca Security.
Their team was able to further escalate privileges within the account by combining an internal misconfiguration in the Glue internal service API to the point where they had unrestricted access to all resources for the service in the area, including complete administrative privileges.
During their research, the researchers used solely Orca Security-owned AWS accounts and did not access information or data belonging to other AWS customers. While studying the flaw, the researchers took on roles in other AWS users’ accounts that were trusted by the Glue service (every account with Glue access has at least one such role).
They may also query and change AWS Glue service-related resources in an AWS region, such as metadata for Glue tasks, dev endpoints, workflows, crawlers, and triggers, among other things. Within hours of receiving Orca Security’s report, the AWS Glue service team replicated and validated the problem, and by the following day, the issue had been substantially fixed worldwide. They provided comprehensive mitigation for the Superglue issue in just a few days, stopping prospective attackers from gaining access to AWS Glue customers’ data.
The Security Team of AWS has also corrected a second flaw in the AWS CloudFormation service discovered by Orca Security (dubbed BreakingFormation). According to the researchers, this XXE (XML External Entity) weakness resulted in file and credential exposure of internal AWS infrastructure services.
AWS VP Colm MacCárthaigh, however, refuted the security firm’s accusations, claiming that the BreakingFormation weakness could only have been leveraged to gain access to host-level credentials and that AWS CloudFormation hosts do not have access to all AWS accounts’ resources.
On January 13, an AWS spokesperson came up with the following update:
“We are aware of an issue related to AWS Glue ETL and AWS CloudFormation and can confirm that no AWS customer accounts or data were affected. Upon learning of this matter from Orca Security, we took immediate action to mitigate it within hours and have added additional controls to the services to prevent any recurrence.”