Vulnerabilities discovered in AWS, GCP and Azure

January 27, 2023

Its nearly the end of Jan, just like all other years, 2023 also seems like its flying through. A lot is happening in the tech world, there are sentiments around what this year will shape out to be, the economics of it all and how its impacting folks around the world. This all also does have a bearing on cybersecurity and cloud security, will budgets be tighter, how will cybersecurity change in 2023, we’ll have to wait and watch. But for now, let’s get into the news for this week

  • If you are listening to or watching Cloud Security Podcast this month, which I am sure you are. Right? You would have heard Nick Frichette talking about Hacking AWS Cloud where he spoke about the Confused Deputy Vulnerability in AWS Appsync that he discovered. If want to find out more about what confused deputy vulnerabilities are or what AWS Appsync does, definitely check that episode out. In more latest new Nick has reported a vulnerability that impacts Cloud Trail event logging service. Cloudtrail is what users use in AWS to monitor their API activity so that they can detect any suspicious activity and understand the impacts after a security event. The vulnerability discovered that there is a method to bypass CloudTrail logging for specific IAM API requests via undocumented APIs. This can be quite a significant vulnerability as attackers can possibly use this technique to perform reconnaissance activities in the IAM service after gaining control in an AWS account and without leaving any trace of their actions in CloudTrail.

Undocumented API is a big area of focus for many cloud security researchers in 2023, as we heard from our guests this month, so its likely we will see more things come out in this space this year. Ofcourse this vulnerability was reported to AWS and has been remediated since. You can read more about this vulnerability here

  • The one thing we hear often about when it comes to vulnerabilities, apart from IAM misconfiguration and exposed S3 buckets is our good old friend (well more like enemy) – SSRF – Server Side Request Forgery. The duo Sreeram KL and Sivanesh Ashok found a SSRF Vulnerability in GCP, which when exploited could make users click onto a malicious URL allowing attacks to gain control of an authorisation token and the user’s GCP projects. They utilized Google Cloud’s Vertex AI, which is a platform you can use to build, deploy, scale machine learning faster. This was one of 4 vulnerabilities the duo discovered and they have since been patched. You can read more about 2 of the vulnerabilities here, there were blogs for the other two but when I was looking them up the website server was down, if you find an updated link, feel free to share it with me and I will share it with the community

I did enjoy the part where the duo used tools provided by Google Cloud to discover vulnerabilities in GCP itself, maybe a good example of how organizations can empower the community to help improve their products.

  • In last week’s news I spoke about the CircleCI breach which surfaced at the end of 2022 and there was promise of the release of the incident report. Well CircleCI delivered and have released an incident report which details what happened, how to know if you were impacted, what may help your teams, what they learnt and what they will do next. I did call this out on my socials but breaches happen to the best of us but how we choose to deal with them is what’s important. CircleCI’s response has been prompt and transparent which I definitely commend. Some of the key learnings they shared were
    • The authentication, security, and tracing tools they had in place allowed them to comprehensively diagnose and remediate the issue
    • They are initiating periodic automatic OAuth token rotation for all customers
    • They have plans to include a shift from OAuth to Github apps to allow for more granular permissions of tokens
    • They also intend to complete a comprehensive analysis of all of their tooling configurations, including a third-party review
    • They will also be making their system permissions more ephemeral, largely restricting the target value of any tokens gained from a similar incident.
    • Overall they want to make it easier for their customers to easily adopt their latest and more advanced security features 
  • API Security, we started hearing all about it in 2022. There were breaches relating to APIs and API security has become front and center for cyber security in 2023 because of how everything is connected through APIs. Now there are several reports that come out through the year and I understand there when released by vendors, they often highlight agendas they are passionate about. Nonetheless I find them valuable to gain an insight, hopefully you do too. Let me know on linkedin or cloud security news twitter so I can start to include them more regularly or less frequently. So onto another report finding. Corsha, which is API Identity and Access Management software company has released a report – It’s Time To Get Honest About Secrets Management Corsha State of API Secrets Management Report, 2023. You can read the report but some findings that i found interesting
    • Many security professionals have experienced an API related breach and those who haven’t are worrying about having one. This rings true if I reflect back to the conversations I have had with cybersecurity practitioners and leaders through 2022. 
    • Many teams are managing upto 250 API tokens, keys and certificates across their networks 

I am curious to hear if API security is something that is on your radar for 2023? Let us know

  • It’s been a month that we are taking all things cloud security research and hacking AWS on Cloud Security Podcast, only fitting though we didn’t have anything to do with it, that there have been several vulnerabilities reported across our CSPs. We spoke about an AWS one, a few GCP ones, so lets round it off (why not!) with some Azure ones too. Orca security have reported that they found instances where different services were vulnerable to a (you guessed it) Server Side Request Forgery (SSRF) attack. They shared that 2 of the vulnerabilities did not require authentication, meaning that they could be exploited without even having an Azure account.The vulnerabilities were found in Azure Twin Explorer, Azure Functions, Azure API Management Service and Azure Machine Learning Service. You can read their blog here to find our more
  • There are several vendors who do cloud security research and this is a growing trend. The industry sees it as a positive as it makes CSPs arguably more secure. CSPs often do their own research too. Microsoft security researcher Sunders Bruskin reported that Kinsing which a Golang-based malware best known for its targeting of Linux environments can also be used to target vulnerable images and weakly configured PostgreSQL containers in Kubernetes to gain initial access. Sunders has released a blog showing how these attacks may happen and how one can mitigate and defend against these attacks. You can read the blog in detail here
  • Now just to wrap this all up, one final piece of news. We all know Dell, most of you probably have Dell laptops in the house. Techcrunch has reported this week that Dell has acquired an israeli cloud orchestration startup Cloudify for allegedly $100M. Cloudify helps with the management of containers and workloads across hybrid environments. Dell has not publically mad this announcement but Techcrunch has shared that they notice a form they have lodged to indicate this. Lets see if they do make the announcement and what it means for the cloud security space. It is anticipated that we will see more acquisitions and consolidations in 2023

If you are enjoying cloud security news, make sure you subscribe to us on your favourite podcast platforms. Just like Cloud Security Podcast, we are completely vender neutral and our goal remains the same across all that we do, bring you all the you need to know in the world of Cloud Security. If there is particular kinds of news you would like to hear more of or less of, let us know, we are curating this for you.

Recommend a topic

Partner with us

Join the team

Enjoying our content? Don't forget to subscribe!