This content is part of the Essential Guide: How to evaluate, choose and work securely with cloud service providers
News Stay informed about the latest enterprise technology news and product updates.

Black Hat 2014: Researcher reveals Amazon cloud security weaknesses

At Black Hat 2014, a researcher showed how AWS cloud security flaws and misconfigurations can have devastating consequences for AWS customers that don't take security seriously.

LAS VEGAS -- A well-known researcher says security professionals aren't paying enough attention to the security...

of applications hosted in Amazon Web Services (AWS) cloud infrastructure, and without more focus on Amazon cloud security, AWS customers may be vulnerable to attacks that expose private information, impersonate AWS EC2 instances and much worse.

Speaking Wednesday at Black Hat USA 2014, Andres Riancho, founder of Argentina-based consultancy Bonsai Information Security and the project leader for the open source w3af security framework, detailed his experience providing penetration testing services for a client's Web application that was being hosted in the AWS infrastructure.           

Despite not having much experience with Amazon's cloud services, Riancho learned through the engagement that there are numerous potential vulnerabilities and misconfigurations that could expose companies operating in the AWS cloud to unmitigated disaster.

"If you are interested in security, if you are somehow in charge of the security of those applications," said Riancho, "you need to know about this."

Research unveils web of potential AWS vulnerabilities, misconfigurations

As for what he uncovered through the pen test, Riancho said it was first important for attendees to understand that all AWS EC2 instances store metadata, which can include details about Amazon Machine Images -- used to create virtual machines with EC2 -- as well as the region where the Amazon data center hosting an instance is located, the local IP address and more.

Since he quickly discovered that each bit of stored metadata was like a breadcrumb highlighting the trail toward other bits of important cloud application data, Riancho began his research project by creating a metadata extraction tool called nimbostratus, which he used to fingerprint the AWS cloud infrastructure being used by the Web application.

After downloading the metadata hosted on Web application's server, Riancho said he discovered an AWS security group that had been configured through a user-data script, one of several ways that an EC2 instance that can be configured. Such user-data scripts tend to contain good information from an attacker's perspective, he said, because they must know where to retrieve the source code for a particular Web application.

Riancho said that the user-data script for his client's Web application revealed a treasure trove of useful details, including the repository where the Web application lived as well as the private and public keys needed to grant him access to the repository and download the Web app's source code.

Next, Riancho set about unraveling the rest of the cloud-based Web application's infrastructure. For EC2 instances to access services such as S3, AWS provides instance profiles that share credentials with an EC2 instance when it starts. Despite the powerful nature of those credentials -- they give an attacker the same permissions as the EC2 instance from which they are stolen -- Riancho said they are stored within the same metadata that he originally uncovered on the Web app's server.

With those valuable credentials in hand, Riancho wrote another tool to test in which AWS API functions could be accessed via his newly acquired credentials. In this instance, Riancho uncovered a function named "ListQueues" which, after some research, he discovered could be used to access the AWS Simple Queue Server (SQS) messaging queue system.

Further investigation showed Riancho that he could write a message to the SQS queue, and that Celery -- an asynchronous job and task queue -- was also in use in the environment; despite a warning in Celery's own documentation that its pickle serialized capability is "inherently insecure" and exposes AWS applications to a potentially devastating attack.

"Going back to our target system, we know that we can write things to the SQS queue, and we know that the [worker servers] are going to deserialize whatever is sent to the SQS queue, and we know that it is using pickle," said Riancho. "So if I write something in a custom format to the SQS queue, and if it's in the right format, it's going to execute arbitrary commands. It was actually pretty easy."

From that point, Riancho discovered that the credentials for the worker server were hard-coded -- a security no-no -- and by performing the same enumeration process with the worker server's credentials, he was able to uncover a MySQL database that his client had also deployed in AWS. A certain line of the configuration of the MySQL database, "", told him that the database was located in the Amazon Relational Database Service (RDS).

Riancho was unable to dump the MySQL database, but he found a misconfiguration that allowed him to perform any action on the AWS Identity and Access Management API, enabling him to create a random user with the necessary privileges to access the database.

Finally, with those escalated privileges, Riancho said he was able to manage the MySQL database through RDS, which allowed him to take a snapshot of the database, restore the snapshot in RDS, and then set the root password for the restored snapshot which featured all the same information as the original. That gave him access to more sensitive information, though a malicious actor could just as easily change the password for the original RDS instance and potentially create a denial-of-service situation.

Riancho warned that this particular situation was largely not the result of missteps on the part of AWS, but rather a series of mistakes on the part of the Web application's developers. Such mistakes are easy to make and likely to be repeated in the future unless enterprise security researchers and professionals get more involved in securing the AWS architecture.

"Developers are leading the way" in the transition to cloud services, said Riancho, "and we need to help them secure the Amazon architecture they are using."

Riancho's discussion raised some concerns about Amazon cloud security, but the recent hack of AWS-hosted Code Spaces was the realization of such concerns. Learn how multifactor authentication may have prevented the Code Spaces incident.

Next Steps

Riancho's discussion raised some concerns about Amazon cloud security, but the recent hack of AWS-hosted Code Spaces was the realization of such concerns. Learn how multifactor authentication may have prevented the Code Spaces incident.

Dig Deeper on Cloud Computing Infrastructure as a Service (IaaS) Security

Join the conversation

1 comment

Send me notifications when other members comment.

Please create a username to comment.

Wonder if this could be what brings Microsoft's cloud closer to its competitor?