German researchers have published a report on security flaws in Amazon Web Services they said could give an attacker access to a user’s account and data.
The researchers, from Ruhr-University Bochum, said the AWS security vulnerabilities are in the two main authentication mechanisms used in Amazon EC2 control interface. The interface is vulnerable to “several new and classical variants of signature wrapping” and knowledge of a single-signed SOAP message could allow an attacker to compromise a customer’s account, they wrote in the report. The problem, they said, is it’s possible to generate arbitrary SOAP messages accepted by the interface from just one valid signature.
“To make things worse, in one attack variant, knowledge of the (public) X.509 certificate alone enabled a successful execution of an arbitrary cloud control operation on behalf of the certificate owner,” they said. “Those included actions such as starting or stopping virtual machines, downloading or uploading virtual machine images, resetting the administrator’s password for cloud instances, and so on.”
The AWS Web interface also is susceptible to cross-site scripting (XSS) attacks, the researchers said.
The research highlights how the complexity of cloud computing systems “creates a large seedbed” of potential vulnerabilities, they said: “Hence, cloud control interfaces are very likely to become one of the most attractive targets for organized crime in the nearby future.”
According to the researchers, the same XSS and SOAP parsing vulnerabilities exist in Eucalyptus, a private cloud platform. They said they reported the flaws to both vendors, which worked with them on fixes.
In an email statement, an Amazon spokesperson said the vulnerabilities were fixed months ago and no customers were impacted. “It’s important to note this potential vulnerability involved a very small percentage of all authenticated AWS API calls that use non-SSL endpoints and was not a potentially widespread vulnerability as has been reported,” the spokesperson said.
In addition, customers implementing AWS security best practices were not susceptible to the vulnerabilities, she added. AWS published a summary of the reported vulnerabilities along with a reminder of AWS security best practices.
“Regarding Amazon specifically, researchers did not have access to all Amazon.com customer data as has been reported. The process by which Amazon.com stores customer data would not enable researchers to see and expose information such as passwords or payment information as had been suggested,” according to the AWS spokesperson. “Additionally, the potential vulnerability reported by these researchers would require customers to intentionally follow a specific script and take various specific actions that had been created by the researchers.”