Mar 22, 2024
Cybersecurity researchers have shared details of a now-patched security vulnerability in Amazon Web Services (AWS) Managed Workflows for Apache Airflow (MWAA) that could be potentially exploited by a malicious actor to hijack victims’ sessions and achieve remote code execution on underlying instances.
The vulnerability, now addressed by AWS, has been codenamed FlowFixation by Tenable.
“Upon taking over the victim’s account, the attacker could have performed tasks such as reading connection strings, adding configurations and triggering directed acyclic graphs (DAGS),” senior security researcher Liv Matan said in a technical analysis.
“Under certain circumstances such actions can result in RCE on the instance that underlies the MWAA, and in lateral movement to other services.”
The root cause of the vulnerability, per the cybersecurity firm, is a combination of session fixation on the web management panel of AWS MWAA and an AWS domain misconfiguration that results in a cross-site scripting (XSS) attack.
Session fixation is a web attack technique that occurs when a user is authenticated to a service without invalidating any existing session identifiers. This permits the adversary to force (aka fixate) a known session identifier on a user so that, once the user authenticates, the attacker has access to the authenticated session.
By abusing the shortcoming, a threat actor could have forced victims to use and authenticate the attacker’s known session and ultimately take over the victim’s web management panel.
“FlowFixation highlights a broader issue with the current state of cloud providers’ domain architecture and management as it relates to the Public Suffix List (PSL) and shared-parent domains: same-site attacks,” Matan said, adding the misconfiguration also impacts Microsoft Azure and Google Cloud.
Tenable also pointed out that the shared architecture – where several customers have the same parent domain – could be a goldmine for attackers looking to exploit vulnerabilities like same-site attacks, cross-origin issues, and cookie tossing, effectively leading to unauthorized access, data leaks, and code execution.
The shortcoming has been addressed by both AWS and Azure adding the misconfigured domains to PSL, thus causing web browsers to recognize the added domains as a public suffix. Google Cloud, on the other hand, has described the issue as not “severe enough” to merit a fix.
“In the case of same-site attacks, the security impact of the mentioned domain architecture is significant, with heightened risk of such attacks in cloud environments,” Matan explained.
“Among these, cookie-tossing attacks and same-site attribute cookie protection bypass are particularly concerning as both can circumvent CSRF protection. Cookie-tossing attacks can also abuse session-fixation issues.”
This story was originally featured on Thehackernews.com
I am not sure where youre getting your info but good topic I needs to spend some time learning much more or understanding more Thanks for magnificent info I was looking for this information for my mission.
of course like your website but you have to check the spelling on several of your posts A number of them are rife with spelling issues and I in finding it very troublesome to inform the reality on the other hand I will certainly come back again.
Hello i think that i saw you visited my weblog so i came to Return the favore Im trying to find things to improve my web siteI suppose its ok to use some of your ideas.
Thank you I have just been searching for information approximately this topic for a while and yours is the best I have found out so far However what in regards to the bottom line Are you certain concerning the supply.
Wow amazing blog layout How long have you been blogging for you made blogging look easy The overall look of your web site is magnificent as well as the content.
Wow amazing blog layout How long have you been blogging for you made blogging look easy The overall look of your web site is magnificent as well as the content.