Organizations increasingly relying on Amazon Web Services infrastructure need to assess the security controls and configuration of the critical connections to its application services or risk a serious security breach, warns a security researcher.
Andres Riancho, an application security expert who leads the development and maintenance of web application security scanning project w3af, warned attendees at the 2014 Black Hat USA Briefings that cloud security risks stem from system configuration weaknesses and common web application vulnerabilities. A simple configuration error enables a determined attacker a pathway to control virtual instances and access critical resources stored at AWS or any cloud hosting service. In his presentation, Pivoting In Amazon Clouds, Riancho demonstrated his tool, Nimbostratus, designed to exploit Amazon infrastructure.
Web application developers and any administrator maintaining Amazon's Elastic Compute Cloud (EC2) need to pay close attention to the security of the architecture that they use, Riancho said during the presentation, which he also gave at two recent security conferences. Most vulnerabilities and misconfigurations exploited today have fixes and workarounds but the default setups are insecure, Riancho said.
"It is my impression that this is not Amazon’s fault that these issues exist," he said. "Most of the vulnerabilities this year are from misconfigurations or small things where the developers working on applications made mistakes."
Solution providers have documented consistent cases of poorly configured and maintained Amazon Web Services accounts that expose a wide variety of sensitive information, much of which is information in database backups located in AWS S3 storage service. A study conducted last year by researchers at vulnerability management vendor Rapid7 uncovered thousands of publicly visible files, including account credentials and sales records. Following the study, AWS Chief Information Security Officer Stephen Schmidt launched a security blog to communicate security best practices and provide information about proper configurations and system maintenance.
Organizations risk facing similar issues in competing cloud infrastructure services, including offerings from Google and Rackspace. It has given rise to providers that focus on security, including Firehost, a Dallas-based startup that provides secure infrastructure and managed hosting services.
Riancho deconstructed his attack at Black Hat, which began with exploiting a web application vulnerability hosted in an EC2 instance on the Amazon cloud. The step-by-step process involves mapping the meta-data server, modifying functions to exploit the flaw and using the Nimbostratus tool to dump all the information from the meta-data server.
The attack also relies on user-data boot scripts used to automate the installation and configuration of software on EC2 instances. Riancho uncovered a repository where the web application lived, the private and public keys to access the repository and downloaded the source code and identified different functions for configuring the source code.
The next stage of the attack was to pivot to more sensitive resources by exploiting Amazon's EC2 instance profiles, which automate the process of assigning user credentials with their roles and access rights. He used Nimbostratus to dump the credentials and found details from profiles that yielded clues into exploiting Amazon SQS used for storing messages between servers and gaining the ability to execute code.
Riancho then gained access to three server instances supporting the architecture and then controlled Amazon's Identity and Access Management service connected with the account to gain access to the underlying MySQL database. The attack gave him the ability to create a privileged user to access all the stored information.
"I found an important database that wasn't able to be accessed before and was rocking the cloud at that point," Riancho said. "My message is simply that developers are working on Amazon so security needs to be more knowledgeable about it too."
PUBLISHED AUG. 6, 2014