November 02, 2012
Security researchers reported incorrect behavior in the SSL certificate validation mechanisms of some software development kits (SDKs) and application programming interface (API) tools maintained by AWS and third parties. Specifically, researchers identified versions of Elastic Cloud Compute (EC2) API tools, Elastic Load Balancing (ELB) API tools, and Flexible Payments Software (FPS) SDKs which may perform incorrect validation of SSL certificates. The incorrect SSL certificate validation reported in EC2 and ELB API tools could potentially allow a man-in-the-middle attacker to read, but not successfully modify, signed AWS REST/Query requests intended for secure (HTTPS) EC2 or ELB API endpoints. These issues do not allow an attacker to access customer instances or manipulate customer data. The incorrect SSL certificate validation reported in the FPS SDKs could potentially allow an attacker to read, but not successfully modify, signed AWS REST requests intended for secure (HTTPS) FPS API endpoints, and may also impact merchant applications that utilize Amazon Payments Software SDKs to verify FPS responses to Instant Payment Notification verification.
To address these issues, AWS has released updated versions of the affected SDKs and API tools, which can be found here:
EC2 API Tools
http://aws.amazon.com/developertools/351
ELB API Tools
http://aws.amazon.com/developertools/2536
Amazon Payments Software Updates
US: https://payments.amazon.com/sdui/sdui/about?nodeId=201033780
UK: https://payments.amazon.co.uk/help?nodeId=201033780
DE: https://payments.amazon.de/help?nodeId=201033780
AWS has addressed similar issues for additional SDKs and API tools; releasing updated versions, which can be found here:
Boto
https://github.com/boto/boto
Auto Scaling Command Line Tool
http://aws.amazon.com/developertools/2535
AWS CloudFormation Command Line Tools
http://aws.amazon.com/developertools/AWS-CloudFormation/2555753788650372
Bootstrapping Applications using AWS CloudFormation
http://aws.amazon.com/developertools/4026240853893296
Amazon CloudFront Authentication Tool for Curl
http://aws.amazon.com/developertools/CloudFront/1878
Amazon CloudWatch Command Line Tool
http://aws.amazon.com/developertools/2534
Amazon CloudWatch Monitoring Scripts for Linux
http://aws.amazon.com/code/8720044071969977
Amazon EC2 VM Import Connector for VMware vCenter
http://aws.amazon.com/developertools/2759763385083070
AWS Elastic Beanstalk Command Line Tool
http://aws.amazon.com/code/AWS-Elastic-Beanstalk/6752709412171743
Amazon ElastiCache Command Line Toolkit
http://aws.amazon.com/developertools/Amazon-ElastiCache/2310261897259567
Amazon Mechanical Turk Command Line Tools
http://aws.amazon.com/developertools/694
Amazon Mechanical Turk SDK for .NET
http://aws.amazon.com/code/SDKs/923
Amazon Mechanical Turk SDK for Perl
http://aws.amazon.com/code/SDKs/922
Amazon Route 53 Authentication Tool for Curl
http://aws.amazon.com/code/9706686376855511
Ruby Libraries for Amazon Web Services
http://aws.amazon.com/code/SDKs/793
Amazon Simple Notification Service Command Line Interface Tool
http://aws.amazon.com/developertools/3688
Amazon S3 Authentication Tool for Curl
http://aws.amazon.com/developertools/Amazon-S3/128
In addition to using the latest AWS SDKs and API tools, customers are encouraged to update underlying software dependencies. Suggested versions for underlying software dependencies can be found in the README file of the SDK or CLI tool package.
AWS continues to recommend the use of SSL for additional security and to protect AWS requests or their responses from being viewed in transit. Signed AWS REST/Query requests via HTTP or HTTPS are protected from third-party modification, and MFA-protected API access using AWS Multi-Factor Authentication (MFA) provides an extra layer of security over powerful operations, such as terminating Amazon EC2 instances or reading sensitive data stored in Amazon S3.
For more information about signing AWS REST/Query requests, please see:
http://docs.amazonwebservices.com/general/latest/gr/signing_aws_api_requests.html
For more information about MFA-protected API access, please see:
http://docs.amazonwebservices.com/IAM/latest/UserGuide/MFAProtectedAPI.html
AWS would like to thank the following individuals for reporting these issues and sharing our passion for security:
Martin Georgiev, Suman Jana, and Vitaly Shmatikov of the University of Texas at Austin
Subodh Iyengar, Rishita Anubhai, and Dan Boneh of Stanford University
Security is our top priority. We remain committed to providing features, mechanisms, and assistance for our customers to realize a secure AWS infrastructure. AWS security-related questions or concerns can be brought to our attention via aws-security@amazon.com.