Vulnerabilities discovered in six AWS services that allow accounts to be hijacked through the automatic creation of S3 buckets

At the world's largest security event, Black Hat USA 2024, a research team from Aqua Security announced that six AWS services had critical vulnerabilities that could lead to account hijacking, remote code execution, AI data manipulation, and confidential information leakage.

Cybersecurity News from Black Hat and DefCon | SC Media | SC Media

Critical vulnerabilities in 6 AWS services disclosed at Black Hat USA | SC Media
https://www.scmagazine.com/news/critical-vulnerabilities-in-6-aws-services-disclosed-at-black-hat-usa

The research team's announcement was made in the morning of August 7, 2024 local time under the title 'Breaching AWS Accounts Through Shadow Resources.' According to the research team, the vulnerability was caused by the automatic creation of S3 buckets with a predictable naming scheme when using the following services: CloudFormation, Glue, EMR, SageMaker, ServiceCatalog, and CodeStar.

If a malicious attacker creates an S3 bucket with a name used by a service such as CloudFormation in advance, when a user later uploads a file to be used by the service, the file will be placed in the attacker's S3 bucket and the attacker can freely access it. For example, if a CloudFormation template file is uploaded, an attacker could not only steal confidential information stored in the template file, but also edit the template file to insert a backdoor.

The research team stresses the importance of keeping AWS account IDs and accounts secret, given that common hashes are used in the automatic creation of S3 buckets. In addition, because the possibility of an account being taken over if this vulnerability was exploited depended on the level of permissions of the user who used the S3 bucket, it is also important to assign roles with the least privileges possible.

The vulnerabilities were reported to the AWS security team in February 2024, and all vulnerabilities were fixed by June 2024. AWS responded to this announcement by saying, 'The issues have already been fixed, all services are working as expected, and no action is required on the part of users.'