Experts found a vulnerability in AWS AppSync

Amazon Web Services (AWS) fixed a cross-tenant vulnerability that could have allowed attackers to gain unauthorized access to resources.

Amazon Web Services (AWS) has addressed a cross-tenant confused deputy problem in its platform that could have allowed threat actors to gain unauthorized access to resources. The problem was reported to the company by researchers from Datadog on September 1, 2022, and the bug was solved on September 6.

A confused deputy problem occurs when an entity that doesn’t have permission to perform an action can coerce a more-privileged entity to perform the action. AWS provides tools to protect an account if the owner provides third parties (known as cross-account) or other AWS services (known as cross-service) access to resources in your account.

The issue is related to the AppSync service in AWS that allows developers to quickly create GraphQL and Pub/Sub APIs.

“We have identified a cross-tenant vulnerability in Amazon Web Services (AWS) that exploits AWS AppSync.” reads the report published by Datadog. “This attack abuses the AppSync service to assume IAM roles in other AWS accounts, which allows an attacker to pivot into a victim organization and access resources in those accounts.”

Amazon investigated the potential exploitation of the issue in attacks in the wild and determined that no customers were affected.

“A security researcher recently disclosed a case-sensitivity parsing issue within AWS AppSync, which could potentially be used to bypass the service’s cross-account role usage validations and take action as the service across customer accounts.” reads the advisory published by Amazon.

“No customers were affected by this issue, and no customer action is required. AWS moved immediately to correct this issue when it was reported. Analysis of logs going back to the launch of the service has been conducted and we have conclusively determined that the only activity associated with this issue was between accounts owned by the researcher. No other customer accounts were impacted.”

In the attack scenario, a less-privileged entity (the attacker) can force a privileged entity or service (AppSync) to perform some action on its behalf. 

The experts pointed out that to authorize the actions AppSync will perform, the developer creates a role (or AppSync can automatically create it on their behalf) with the required IAM permissions. The created role will have a trust policy that allows the AppSync service to assume the role.

Using the S3 example, if a developer was building that API, they would create a role with the S3 permissions they need and allow AppSync to assume that role. When that GraphQL API is called, AppSync will assume the role, perform the AWS API call, and interpret the results.

The experts pointed out that AWS does have safeguards in place to prevent AppSync from assuming arbitrary roles by validating the role’s Amazon Resource Name (ARN). The check could be simply eluded by passing the “serviceRoleArn” parameter in a lower case.

An attacker can exploit the issue to provide the identifier of a role for a different AWS account.

“This vulnerability in AWS AppSync allowed attackers to cross account boundaries and execute AWS API calls in victim accounts via IAM roles that trusted the AppSync service. By using this method, attackers could breach organizations that used AppSync and gain access to resources associated with those roles.” concludes the report. “After finding this vulnerability, we contacted the AWS Security Team who swiftly remediated the issue.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Amazon Web Services)

[adrotate banner=”5″]

[adrotate banner=”13″]