November 02, 2012

Security researchers reported incorrect behavior in the SSL certificate validation mechanisms of some software development kits (SDKs) and application programming interface (API) tools maintained by AWS and third parties. Specifically, researchers identified versions of Elastic Cloud Compute (EC2) API tools, Elastic Load Balancing (ELB) API tools, and Flexible Payments Software (FPS) SDKs which may perform incorrect validation of SSL certificates. The incorrect SSL certificate validation reported in EC2 and ELB API tools could potentially allow a man-in-the-middle attacker to read, but not successfully modify, signed AWS REST/Query requests intended for secure (HTTPS) EC2 or ELB API endpoints. These issues do not allow an attacker to access customer instances or manipulate customer data. The incorrect SSL certificate validation reported in the FPS SDKs could potentially allow an attacker to read, but not successfully modify, signed AWS REST requests intended for secure (HTTPS) FPS API endpoints, and may also impact merchant applications that utilize Amazon Payments Software SDKs to verify FPS responses to Instant Payment Notification verification.

To address these issues, AWS has released updated versions of the affected SDKs and API tools, which can be found here:

EC2 API Tools
http://aws.amazon.com/developertools/351

ELB API Tools
http://aws.amazon.com/developertools/2536

Amazon Payments Software Updates
US: https://payments.amazon.com/sdui/sdui/about?nodeId=201033780
UK: https://payments.amazon.co.uk/help?nodeId=201033780
DE: https://payments.amazon.de/help?nodeId=201033780

 

AWS has addressed similar issues for additional SDKs and API tools; releasing updated versions, which can be found here:

Boto
https://github.com/boto/boto

Auto Scaling Command Line Tool
http://aws.amazon.com/developertools/2535

AWS CloudFormation Command Line Tools
http://aws.amazon.com/developertools/AWS-CloudFormation/2555753788650372

Bootstrapping Applications using AWS CloudFormation
http://aws.amazon.com/developertools/4026240853893296

Amazon CloudFront Authentication Tool for Curl
http://aws.amazon.com/developertools/CloudFront/1878

Amazon CloudWatch Command Line Tool
http://aws.amazon.com/developertools/2534

Amazon CloudWatch Monitoring Scripts for Linux
http://aws.amazon.com/code/8720044071969977

Amazon EC2 VM Import Connector for VMware vCenter
http://aws.amazon.com/developertools/2759763385083070

AWS Elastic Beanstalk Command Line Tool
http://aws.amazon.com/code/AWS-Elastic-Beanstalk/6752709412171743

Amazon ElastiCache Command Line Toolkit
http://aws.amazon.com/developertools/Amazon-ElastiCache/2310261897259567

Amazon Mechanical Turk Command Line Tools
http://aws.amazon.com/developertools/694

Amazon Mechanical Turk SDK for .NET
http://aws.amazon.com/code/SDKs/923

Amazon Mechanical Turk SDK for Perl
http://aws.amazon.com/code/SDKs/922

Amazon Route 53 Authentication Tool for Curl
http://aws.amazon.com/code/9706686376855511

Ruby Libraries for Amazon Web Services
http://aws.amazon.com/code/SDKs/793

Amazon Simple Notification Service Command Line Interface Tool
http://aws.amazon.com/developertools/3688

Amazon S3 Authentication Tool for Curl
http://aws.amazon.com/developertools/Amazon-S3/128

In addition to using the latest AWS SDKs and API tools, customers are encouraged to update underlying software dependencies. Suggested versions for underlying software dependencies can be found in the README file of the SDK or CLI tool package.

AWS continues to recommend the use of SSL for additional security and to protect AWS requests or their responses from being viewed in transit. Signed AWS REST/Query requests via HTTP or HTTPS are protected from third-party modification, and MFA-protected API access using AWS Multi-Factor Authentication (MFA) provides an extra layer of security over powerful operations, such as terminating Amazon EC2 instances or reading sensitive data stored in Amazon S3.

For more information about signing AWS REST/Query requests, please see:
http://docs.amazonwebservices.com/general/latest/gr/signing_aws_api_requests.html

For more information about MFA-protected API access, please see:
http://docs.amazonwebservices.com/IAM/latest/UserGuide/MFAProtectedAPI.html

AWS would like to thank the following individuals for reporting these issues and sharing our passion for security:

Martin Georgiev, Suman Jana, and Vitaly Shmatikov of the University of Texas at Austin

Subodh Iyengar, Rishita Anubhai, and Dan Boneh of Stanford University

Security is our top priority. We remain committed to providing features, mechanisms, and assistance for our customers to realize a secure AWS infrastructure. AWS security-related questions or concerns can be brought to our attention via aws-security@amazon.com.