Cybersecurity experts have revealed details regarding a vulnerability that has been resolved in Amazon Web Services (AWS) Managed Workflows for Apache Airflow (MWAA). Due to this vulnerability, a cyber threat actor may be able to remotely execute code on underlying occurrences and take over victims' sessions. Microsoft has given the vulnerability the codename “FlowFixation”, which AWS is presently addressing.
“Upon taking over the victim's account, the attacker could have performed tasks such as reading connection strings, adding configurations, and triggering directed acyclic graphs (DAGS). Under certain circumstances, such actions can result in RCE on the instance that underlies the MWAA, and in lateral movement to other services.” In a technical analysis, top security researcher Liv Matan stated.
According to the cybersecurity organization, the primary reasons for the vulnerability are session fixation on the web management panel of AWS MWAA and an AWS domain misconfiguration that results in a Cross-Site Scripting (XSS) attack.
Session fixation is a web attack when a user signs in to a service without validating any session identifiers. This enables the cyber attacker to access the authenticated session after the user authenticates by forcing (sometimes called fixating) a known session identity on the user.
By forcing their victims to use and authenticate the attacker's known session, the threat actors might have taken advantage of this vulnerability to control their victims’ online administrative panel.
“FlowFixation highlights a broader issue with the current state of cloud providers' domain architecture and management as it relates to the Public Suffix List (PSL) and shared-parent domains: same-site attacks.” According to Matan, Google Cloud and Microsoft Azure are also impacted by the misconfiguration.
Cybersecurity organizations say that hackers may find shared architecture—where several clients share a parent domain—to be a fantastic place to exploit issues with same-site assaults, cross-origin, and cookie tossing. These issues can lead to unauthorized access, breaches of data, and code execution.
Due to AWS and Azure adding the incorrectly configured domains to PSL, the shortcoming was corrected, and web browsers now identify the new domains as having a public suffix. But, Google Cloud claims that the issue is not “severe enough” to need to be fixed.
“In the case of same-site attacks, the security impact of the mentioned domain architecture is significant, with a heightened risk of such cyber attacks in cloud environments. Among these, cookie-tossing attacks and same-site attribute cookie protection bypass are particularly concerning as both can circumvent CSRF protection. Cookie-tossing attacks can also abuse session-fixation issues.” Matan explained.