Security researchers recently identified potential vulnerabilities in signature wrapping techniques and advanced cross site scripting used by some AWS services. The potential vulnerabilities have been corrected and no customers have been impacted. Below is a summary of the research findings and reminder of best practices for proper user validation. Customers fully implementing the AWS security best practices were not susceptible to these vulnerabilities.
The research showed that errors in SOAP parsing may have resulted in specially crafted SOAP requests with duplicate message elements and / or missing cryptographic signatures being processed. If this were to occur, an attacker who had access to an unencrypted SOAP message could potentially take actions as another valid user and perform invalid EC2 actions. For example, if an attacker could inappropriately obtain a previously generated, pre-signed SOAP request of an EC2 customer, or a customer’s public X.509 certificate, he could potentially generate arbitrary SOAP requests on behalf of another customer.
While it would be difficult to obtain a pre-signed soap request or an X.509 certificate, the researchers stated this could potentially be accomplished by an attacker if the customer sent their SOAP requests over HTTP instead of HTTPS in a public setting subject to interception or left the full content of their SOAP requests in a location accessible to an attacker (such as a public messaging forum). Additionally, security researchers discovered and reported other Cross-Site Scripting (XSS) flaws that could have been used to obtain the customer’s public X.509 certificate. Obtaining a customer’s public X.509 certificate in this manner could allow an attacker to generate arbitrary SOAP requests on behalf of the customer allowing exploitation of the vulnerability described above.
Both the SOAP and XSS vulnerabilities have been corrected and extensive log analysis has determined that no customers were impacted.
As a reminder, AWS recommends a number of security best practices to protect our customers:
AWS would like to thank the following individuals for reporting these vulnerabilities and sharing our passion for security:
Juraj Somorovsky, Mario Heiderich, Meiko Jensen, and Jörg Schwenk of Ruhr-University Bochum, Germany
Nils Gruschka of NEC Europe
Luigi Lo Iacono of Cologne University of Applied Sciences, Germany
Security is our top priority. We remain committed to providing features, mechanisms, and assistance for our customers to realize a secure AWS infrastructure. Security-related questions or concerns can be brought to our attention via email@example.com.