Subscribe to the Data Center Knowledge Newsletter
Get analysis and expert insight on the latest in data center business and technology delivered to your inbox daily.
Critical AWS Vulnerabilities Allow S3 Attack Bonanza
Researchers at Aqua Security discovered flaws where threat actors can guess the name of S3 buckets based on their public account IDs.
Dark Reading
August 12, 2024
1 Min Read
Image: Alamy
Six critical vulnerabilities in Amazon Web Services (AWS) could have allowed threat actors to target organizations with remote code execution (RCE), exfiltration, denial-of-service attacks, or even account takeovers.
"Most of the vulnerabilities were considered critical because they gave access to other accounts with minimal effort from the attacker perspective," Aqua's lead security researcher Yakir Kadkoda tells Dark Reading.
During a briefing on August 7 at Black Hat USA in Las Vegas, researchers at Aqua Security revealed that they discovered new attack vectors using bugs "Bucket Monopoly" and "Shadow Resources." The impacted AWS services include Cloud Formation, CodeStar, EMR, Glue, SageMaker, and Service Catalog.
Upon discovering the vulnerabilities in February, the Aqua researchers reported them to AWS, which confirmed the issues and rolled out mitigations to the respective services piecemeal between March and June. However, open source iterations could still be vulnerable.
'Bucket Monopoly': Attacking Public AWS Account IDs
The researchers first uncovered Bucket Monopoly, an attack method that can significantly boost the success rate of attacks that exploit AWS S3 buckets – i.e., online storage containers for managing objects, such as files or images, and resources required for storing operational data…
About the Author
You May Also Like
