/csp_security_mistakes

Cloud service provider security mistakes

Cloud Service Provider security mistakes

This page lists security mistakes by cloud service providers (AWS, GCP, and Azure). These are public mistakes on the cloud providers' side of the shared responsibility model. This may be CVEs or bug bounties for issues in the services they run, but could also be in client software they provide, guidance they have given, failed audit tests in their SOC 2 Type 2, security incidents they have had, and more.

Whether an issue is included or not is hard to define and thus opinionated. For my definition of a mistake, I am generally not including business decisions such as AWS releasing a service before it has Cloudtrail auditing support, or some technical decisions by the cloud providers such as the ease with which an S3 bucket can be made public. Some technical decisions are concerning enough to be listed here though. I'm avoiding GSuite and Office365 issues, or issues that are not specifically cloud issues (ex. Active Directory issues unless it specifically impacts Azure AD). I am not including security incidents at the companies that did not seem to impact the cloud services for customers (ex. when Amazon's Twitch was hacked, it didn't impact AWS customers), or security incidents of their customers (ex. Capital One's breach on AWS).

The purpose of this project is to ensure there is a record of these mistakes. Although I believe using cloud providers is often a much better decision than self-hosting, it's important to hold them accountable by recognizing their security mistakes.

Where possible I also want to ensure customers know what steps they can take to detect or prevent the issues identified. Mitre, which is the organization that manages CVEs, has generally avoided providing CVEs for security issues of the cloud providers under the assumption that all issues can be resolved by the cloud provider and therefore do not need a tracking number. This view is sometimes incorrect, and even when the issue can be resolved by the cloud provider, I still believe it warrants having a record. Similar views are expanded on by Alon Schindel and Shir Tamari from Wiz.io in their post Security industry call to action: we need a cloud vulnerability database.

Field explanations

Name: Name of the vulnerability if available, or a short explanation

  • Summary: Explanation of the issue
  • Platform: cloud provider (AWS, GCP, or Azure)
  • Severity: My opinion of how bad this is, in relation to other issues on this page.
  • Date: Date this was discovered or published if unknown. The actual date where this impacted customers may have been much earlier, and the date it was published, or fixed may be much later. This is just to give this list some sort of ordering.
  • Discoverer: Individuals who found the issue and where they worked at the time
  • Customer action: Whether there is anything a customer could do as follow-up to this issue.
  • References: Publication of the research and response from the cloud provider if it exists.

Issues

AWS: Launching EC2s did not require specifying AMI owner: CVE-2018-15869

  • Summary: Attackers had put malicious AMIs in the marketplace
  • Platform: AWS
  • Severity: Medium
  • Date: Augst 13, 2018
  • Discoverer: Megan Marsh (https://github.com/SwampDragons)
  • Customer action: Update CLI and other tools that create EC2s
  • References:

AWS: Resource policy confused deputy issue with services

AWS: AWS employee posts customer access keys and information

AWS: GuardDuty detection bypass via cloudtrail:PutEventSelectors

AWS: Lack of bug bounty

AWS: Lack of internal change controls for IAM managed policies

  • Summary: Repeated examples of AWS releasing or changing IAM policies they obviously shouldn't have (CheesepuffsServiceRolePolicy, AWSServiceRoleForThorInternalDevPolicy, AWSCodeArtifactReadOnlyAccess.json, AmazonCirrusGammaRoleForInstaller). The worst being the ReadOnlyAccess policy having almost all privileges removed and unexpected ones added.
  • Platform: AWS
  • Severity: Low
  • Date: October 15, 2020
  • Discoverer: Aidan Steele
  • Customer action: N/A
  • References:

AWS: AssumeRole vendor issues with confused deputy

AWS: VPC Hosted Zones unauditable

  • Summary: For 6 years, it was not possible to see what hosted zones an attacker may have created in an account.
  • Platform: AWS
  • Severity: Low
  • Date: June 18, 2020
  • Discoverer: Aidan Steele
  • Customer action: Audit your VPC hosted zones
  • References:

AWS: XSS on EC2 web console

AWS: Terms and conditions allows sharing customer data

AWS: S3 Crypto SDK vulns: CVE-2020-8912 and CVE-2020-8911

AWS: ALB HTTP request smuggling

AWS: Execution in CloudFormation service account

AWS: CloudFormer review

AWS: Encryption SDK issues

AWS: S3 bucket tagging not restricted

AWS: Identification of privileges without being logged by CloudTrail

AWS: Fall 2020, SOC 2 Type 2 failure

AWS: API Gateway Custom Authorizer Documentation and Design Issues

GCP: Org policies bypass

AWS: Lightsail object storage access keys logged

Azure: ChaosDB

Azure: Azurescape

Azure: Log analytics role privesc

Azure: OMIGOD

GCP IAP bypass

  • Summary: Convincing a victim to click a specially crafted link would allow the attacker to bypass the Identity-Aware Proxy (a core component of BeyondCorp).
  • Platform: GCP
  • Severity: Medium
  • Date: September 17, 2021
  • Discoverer: Unknown
  • Customer action: N/A
  • References:

AWS Workspace client RCE - CVE-2021-38112

  • Summary: If a user with AWS WorkSpaces 3.0.10-3.1.8 installed visits a page in their web browser with attacker controlled content, the attacker can get zero click RCE under common circumstances.
  • Platform: AWS
  • Severity: High
  • Date: September 21, 2021
  • Discoverer: David Yesland, Rhino security
  • Customer action: Update client to 3.1.9 or higher
  • References:

Azure Active Directory information disclosure vulnerability (CVE-2021-42306)

AWS Fall 2021, SOC 2 Type 2 failure

AWS SageMaker Jupyter Notebook instance CSRF

  • Summary: AWS SageMaker Notebook server lacked a check of the Origin header that led to a CSRF vulnerability. An attacker could have read sensitive data and execute arbitrary actions in customer environments.
  • Platform: AWS
  • Severity: Medium
  • Date: December 2, 2021
  • Discoverer: Gafnit Amiga, Lightspin
  • Customer action: N/A
  • References: