Threat actors exploring AWS environments and API calls could potentially go undetected.
Amazon Web Services (AWS) has addressed a bypass vulnerability that could allow attackers to evade CloudTrail API monitoring.
In a blog entry on January 17, Nick Frichette, senior researcher at Datadog Security Labs, addressed this important vulnerability affecting the CloudTrail event logging service, which is crucial for security teams investigating API activity.
Event logging systems are vital for defenders in identifying suspicious behaviors and conducting forensic analysis after a security breach.
Stay updated on the latest news concerning web security vulnerabilities.
CloudTrail tracks and logs AWS environmental events along with API usage. However, as reported by the Datadog Security Research Team, a technique existed which could bypass these logging systems, enabling threat actors to conduct reconnaissance without detection within the IAM service.
The team evaluated two AWS services, identifying that the undocumented ‘iamadmin’ API, notably, allowed actions through endpoints which would not generate any CloudTrail event logs.
Out of their investigation, the team discovered 13 IAM methods that could be invoked, with some exhibiting unexpected outcomes.
“After experimenting with this technique, it became evident that this functionality was unintended,” commented Frichette.
“The ability to bypass CloudTrail logging and retrieve results from these calls poses significant challenges for defenders, hampering their capacity to track adversary actions in an environment.”
He further mentioned that this method could also allow bypassing Amazon’s GuardDuty, since it utilizes CloudTrail as a source of data.
Potential Impacts
Exploiting this vulnerability could enable attackers to perform reconnaissance tasks. Frichette explained that when the iamadmin service initiates IAM API calls, an attacker could retrieve information, such as “what groups an IAM user belongs to.”
Additionally, retrieving the IAM policies linked to a group could uncover highly privileged groups, and determining whether an IAM user has an MFA [multi-factor authentication] device attached could be useful for selecting future targets.
An AWS spokesperson confirmed the vulnerability’s existence, noting that even though the read-only APIs implemented customer-based authentication and authorization rules, the compromised entity needs sufficient permissions to invoke these actions without detection.
“With this vulnerability, those actions could be performed without any visibility,” stated Datadog.
Reporting and Resolution
The research team disclosed the issue to AWS on March 10, 2022, receiving immediate acknowledgment from Amazon’s security team on the same day. However, due to the complexity involved in implementing internal changes for a fix, the resolution was only released in October.
On October 24, AWS announced a fix that adjusted iamadmin API calls to produce events in CloudTrail similarly to the IAM service.
A spokesperson clarified that the API methods impacted have been updated, and no action is necessary on the customer’s part.
“Vulnerabilities like these are rare,” Frichette remarked. “To my knowledge, there are no other publicly disclosed vulnerabilities allowing an attacker to bypass logging for AWS API actions that are typically logged.”
RECOMMENDED Popular password managers auto-filled credentials on untrusted websites
Based on an article from portsweigger.net: https://portswigger.net/daily-swig/aws-patches-bypass-bug-in-cloudtrail-api-monitoring-tool
