Aaron Mulgrew by Aaron Mulgrew | | Blog

Amazon Workspaces was incorrectly interpreting an AWS managed policy which allowed a read-only permission user to hijack a legitimate workspace. The attacker could force a password reset to the new account and compromise that particular Amazon Workspace, even though the credentials for the account only had read only access. AWS have mitigated the vulnerability, and this post is a quick summarization of the events leading to the patch.

Technical analysis

I first came across Workspaces when exploring an internal project at Deep Secure. Workspaces is an Amazon managed Desktop As A Service (DAAS) solution.

 Whilst playing with Workspaces, I noticed that it was possible to edit a user who currently has an account on the workspace with my admin account. Nothing special here I first thought – it is simply used to update the details of the users first name, last name and email address.

 However, once the project had gained some traction, it came to the point of adding an admin read only account for auditing purposes. AWS has handily exposed a ready made IAM policy which has all the capabilities required to view all resources (but not modify) within the console.

So, I now have a ReadOnlyAccess administrator IAM user. If I randomly try to turn off EC2 instances, I will be returned an authorization error. There are many reasons to use read only user policies – for example sending data to an external logging service: https://docs.datadoghq.com/integrations/amazon_web_services/?tab=allpermissions

For these reasons, it means that a single AWS account may often have many read only access IAM users with varying permissions dependent on the service each user needs to access. So, with that in mind I came back to the edit user button within the Workspaces console. It was possible to edit any of the attributes despite only having a read only account:

So, I was able to change the email address of the workspace user from my work email to my personal one, without having appropriate permission. I still needed valid credentials to access the IAM user – so an average Joe Bloggs could not change the email address, but one logged in with the ReadOnlyAccess policy (either via the CLI or the console) could do so.

This meant that I could then force a password reset, and divert the corresponding password reset email across to myself (as the attacker). I could then log in with the attackers’ email address onto the Workspace environment with no obvious changes within the AWS Workspaces console, other than a new email address assigned to that user. At this point, I’m automatically granted the permissions of that workspace to view the users’ encrypted contents on the virtual hard disk and access other services (such as WorkDocs) that the workspace could be using. This access would only happen if the AWS resources were already provisioned to that particular Workspace account.

Mitigation

I contacted AWS security with a brief summary of the vulnerability that I had found. Below is a short timeline of the mitigation process:

  • 7th May: Initial Contact was made
  • 7th May: Response with confirmation of receipt
  • 13th May: Investigations in process and timeline to mitigate the delay
  • 19th May: Initial deployment of a fix, phased deployment has begun
  • 1st June: Deployment of fix complete
Conclusion

Overall a quick response and regular updates, with a total mitigation across all AWS regions in only three weeks. Whilst it is not the most exciting or attention-grabbing vulnerability, it shows that the general patching capability of using a major cloud service far outweighs anything that is “home baked” on premise or using lift and shift. It is only improved further when using managed services like DAAS or PAAS, where you exploit the full capabilities of the cloud infrastructure provider with their quick patching times.


View all posts

Digital Purity with 100% efficacy

Contact Us