Major cloud providers are vulnerable to exploitation because a single flaw can be turned into a global attack using trusted core services.
Amazon Web Services has closed two vulnerabilities in its core services, one of which could have allowed any user to access and take control of any company’s infrastructure, cloud security firm Orca Security said in an analysis published on Jan. 13.
While the vulnerabilities are now fixed, the attack chain that involves compromising a core service, escalating privileges, and using that privilege to attack other users is not limited to Amazon. This method affects many other cloud vendors, says Yoav Alon, chief technology officer at Orca Security. At the heart of the problem is a lack of isolation between services and too little granularity in the permissions of different services and users, he says.
The company has already reported similar issues to other cloud services, but Alon would not give specifics about those vulnerabilities until the company’s disclosure process is complete.
“We believe that these are the next big wave of critical vulnerabilities because we moved trust from our data centers to cloud services — and good thing we did because they are better at security than most companies,” he says. “Now an issue that is in your cloud provider affects you and you may not even know it.”
The most significant of the two vulnerabilities occurred in AWS Glue, a serverless integration service that allows AWS users to manage, clean, and transform data, and makes the datastore available to the user’s other services. Using this flaw, attackers could compromise the service and become an administrator — and because the Glue service is trusted, they could use their role to access other users’ environments. Read more:https://bit.ly/3qqlXeW