Vulnerability: Use Lambda function role to remove MFA from any user

[andresriancho]

Description

Any user with lambda:invokefunction permission can abuse the functionality exposed by the lambda function to remove MFA from any user in the AWS account.

The permissions associated with the lambda function allow the role to remove any MFA. And anyone with lambda:invokefunction can generate an arbitrary JSON to send as parameter.

Attack

In order to perform these attacks, the attacker needs to have valid credentials for the AWS account AND enough permissions to get the user and MFA ids for the victim user. These are rather uncommon permissions and reduce the risk associated with this issue.

Attackers that meet the previously mentioned requirements will be able to remove the MFA device associated with a victim IAM user. The attacker will benefit from this action only if he already has access to the access key and secret key for the victim user, which is once again a rather uncommon scenario.

Recommended solution

Create a service control policy to restrict calls to the lambda function. Only the cloudwatch service should be allowed to invoke this function, preventing the previously mentioned attack vector.

[andresriancho]

PS: Reporting this in public mode because the vulnerability is low risk.