Reported SOAP Request Parsing Vulnerabilities
October 20, 2011
Security researchers recently identified potential vulnerabilities in signature wrapping techniques and advanced cross site scripting used by some AWS services. The potential vulnerabilities have been corrected and no customers have been impacted. Below is a summary of the research findings and reminder of best practices for proper user validation. Customers fully implementing the AWS security best practices were not susceptible to these vulnerabilities.
The research showed that errors in SOAP parsing may have resulted in specially crafted SOAP requests with duplicate message elements and / or missing cryptographic signatures being processed. If this were to occur, an attacker who had access to an unencrypted SOAP message could potentially take actions as another valid user and perform invalid EC2 actions. For example, if an attacker could inappropriately obtain a previously generated, pre-signed SOAP request of an EC2 customer, or a customer’s public X.509 certificate, he could potentially generate arbitrary SOAP requests on behalf of another customer.
While it would be difficult to obtain a pre-signed soap request or an X.509 certificate, the researchers stated this could potentially be accomplished by an attacker if the customer sent their SOAP requests over HTTP instead of HTTPS in a public setting subject to interception or left the full content of their SOAP requests in a location accessible to an attacker (such as a public messaging forum). Additionally, security researchers discovered and reported other Cross-Site Scripting (XSS) flaws that could have been used to obtain the customer’s public X.509 certificate. Obtaining a customer’s public X.509 certificate in this manner could allow an attacker to generate arbitrary SOAP requests on behalf of the customer allowing exploitation of the vulnerability described above.
Both the SOAP and XSS vulnerabilities have been corrected and extensive log analysis has determined that no customers were impacted.
As a reminder, AWS recommends a number of security best practices to protect our customers:
- Only utilize the SSL-secured / HTTPS endpoint for any AWS service and ensure that your client utilities perform proper peer certificate validation. A very small percentage of all authenticated AWS API calls use non-SSL endpoints, and AWS intends to deprecate non-SSL API endpoints in the future.
- Enable and use Multi-Factor Authentication (MFA) for AWS Management Console access.
- Create Identity and Access Management (IAM) accounts that have limited roles and responsibilities, restricting access to only those resources specifically needed by those accounts.
- Limit API access and interaction further by source IP, utilizing IAM source IP policy restrictions.
- Regularly rotate AWS credentials, including Secret Keys, X.509 certificates, and Keypairs.
- When utilizing the AWS Management Console, minimize or avoid interaction with other websites and follow safe Internet browsing practices, much as you should for banking or similarly important / critical online activities.
- AWS customers should also give consideration to utilizing API access mechanisms other than SOAP, such as REST / Query.
AWS would like to thank the following individuals for reporting these vulnerabilities and sharing our passion for security:
Juraj Somorovsky, Mario Heiderich, Meiko Jensen, and Jörg Schwenk of Ruhr-University Bochum, Germany
Nils Gruschka of NEC Europe
Luigi Lo Iacono of Cologne University of Applied Sciences, Germany
Security is our top priority. We remain committed to providing features, mechanisms, and assistance for our customers to realize a secure AWS infrastructure. Security-related questions or concerns can be brought to our attention via email@example.com.