Description
Amazon AWS Amplify CLI before 12.10.1 incorrectly configures the role trust policy of IAM roles associated with Amplify projects. When the Authentication component is removed from an Amplify project, a Condition property is removed but "Effect":"Allow" remains present, and consequently sts:AssumeRoleWithWebIdentity would be available to threat actors with no conditions. Thus, if Amplify CLI had been used to remove the Authentication component from a project built between August 2019 and January 2024, an "assume role" may have occurred, and may have been leveraged to obtain unauthorized access to an organization's AWS resources. NOTE: the problem could only occur if an authorized AWS user removed an Authentication component. (The vulnerability did not give a threat actor the ability to remove an Authentication component.) However, in realistic situations, an authorized AWS user may have removed an Authentication component, e.g., if the objective were to stop using built-in Cognito resources, or move to a completely different identity provider.
EPSS Score:
1%
Comprehensive Technical Analysis of EUVD-2024-1151
1. Vulnerability Assessment and Severity Evaluation
Vulnerability Description:
The vulnerability EUVD-2024-1151 affects Amazon AWS Amplify CLI versions before 12.10.1. The issue arises from an incorrect configuration of the role trust policy for IAM roles associated with Amplify projects. Specifically, when the Authentication component is removed from an Amplify project, the "Effect":"Allow" remains present without the necessary Condition property, allowing unauthorized access to AWS resources via sts:AssumeRoleWithWebIdentity.
Severity Evaluation:
The vulnerability has a CVSS Base Score of 9.8, which is considered critical. The CVSS vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H indicates:
- Attack Vector (AV): Network
- Attack Complexity (AC): Low
- Privileges Required (PR): None
- User Interaction (UI): None
- Scope (S): Unchanged
- Confidentiality (C): High
- Integrity (I): High
- Availability (A): High
This high severity score underscores the potential for significant impact on confidentiality, integrity, and availability of affected systems.
2. Potential Attack Vectors and Exploitation Methods
Attack Vectors:
- Unauthorized Access: Threat actors can exploit the misconfigured IAM roles to assume roles without proper conditions, gaining unauthorized access to AWS resources.
- Privilege Escalation: Once access is gained, attackers can escalate privileges to perform further malicious activities within the AWS environment.
- Data Exfiltration: Attackers can exfiltrate sensitive data stored in AWS resources.
- Service Disruption: Attackers can disrupt services by modifying or deleting critical resources.
Exploitation Methods:
- AssumeRoleWithWebIdentity: Attackers can use the
sts:AssumeRoleWithWebIdentityAPI call to assume the role of the misconfigured IAM role. - Automated Scripts: Attackers can write automated scripts to scan for vulnerable Amplify projects and exploit them en masse.
3. Affected Systems and Software Versions
Affected Systems:
- AWS Amplify projects that had the Authentication component removed between August 2019 and January 2024.
- AWS environments where the Amplify CLI versions before 12.10.1 were used.
Software Versions:
- AWS Amplify CLI versions before 12.10.1.
4. Recommended Mitigation Strategies
Immediate Mitigation:
- Update Amplify CLI: Upgrade to AWS Amplify CLI version 12.10.1 or later.
- Review IAM Roles: Audit and correct the trust policies of IAM roles associated with Amplify projects to ensure proper conditions are in place.
- Monitoring: Implement monitoring and alerting for unusual
sts:AssumeRoleWithWebIdentityactivities.
Long-Term Mitigation:
- Regular Audits: Conduct regular security audits of IAM roles and policies.
- Least Privilege Principle: Ensure that IAM roles and policies adhere to the principle of least privilege.
- Automated Tools: Use automated tools to continuously monitor and validate IAM configurations.
5. Impact on European Cybersecurity Landscape
Regulatory Compliance:
- GDPR: Unauthorized access to AWS resources can lead to data breaches, violating GDPR regulations and resulting in significant fines.
- NIS Directive: Organizations in critical sectors must ensure the security of their digital infrastructure, and this vulnerability poses a risk to compliance.
Operational Impact:
- Service Disruption: Exploitation of this vulnerability can lead to service disruptions, affecting business continuity.
- Reputation Damage: Data breaches and service disruptions can damage an organization's reputation and customer trust.
6. Technical Details for Security Professionals
Technical Analysis:
- Role Trust Policy Misconfiguration: The core issue is the removal of the Condition property while retaining the "Effect":"Allow" in the role trust policy. This allows any entity to assume the role without meeting specific conditions.
- Exploitation Steps:
- Identify Amplify projects with the Authentication component removed.
- Use
sts:AssumeRoleWithWebIdentityto assume the role. - Gain unauthorized access to AWS resources.
Detection and Response:
- Log Analysis: Analyze CloudTrail logs for unusual
sts:AssumeRoleWithWebIdentityactivities. - Incident Response: Implement an incident response plan to quickly identify and mitigate any unauthorized access.
- Patch Management: Ensure that all Amplify CLI instances are updated to the latest version.
References:
By addressing this vulnerability promptly and comprehensively, organizations can mitigate the risk of unauthorized access and ensure the security of their AWS resources.