2024-08-06 –, Florentine A
Could providers have prevented some of the more impactful web vulnerabilities revealed to date. Will they be able to prevent those yet to come? Is there a “secret” guardrail that those who report bugs and triage vulnerabilities simply don’t know of, but should?
At this session, I will unveil a high-severity vulnerability I discovered and dubbed 'FlowFixation'.
The talk will first explore a common cloud provider default configuration that can be likened to a javascript execution primitive on a victim's subdomain in on-prem environments. The root issue: you share parent domains with every other cloud customer. I will then introduce a lesser-known guardrail for preventing this risk: The public suffix list (PSL). Audiences will learn about my unique domain management research into the major cloud providers and better understand the services’ domains that were vulnerable to same-site attacks. I will also share case studies of significant cloud vulnerabilities that could have been prevented with this guardrail.
The next part of the talk will dive deep into the FlowFixation vulnerability, that affected AWS Managed Workflows for Apache Airflow (MWAA), enabling attackers to hijack a user session and potentially execute remote code (RCE) on underlying instances.
OUTLINE:
- Introduction
- We all use cloud, but we don’t always remember our “roommates”
- In the on-prem realm, running javascript on a subdomain is a
valid security vulnerability and will also be accepted as a bug
bounty report - Are you considering the threat of being attacked by a malicious
user under the same parent domain in the cloud?
- In the on-prem realm, running javascript on a subdomain is a
- Introducing, in general terms, the 'FlowFixation' Vulnerability in AWS
Managed Workflows for Apache (deep dive to come later), and how it
led me to research the PSL and the shared parent domain risk - Overview of the risks for other major cloud providers as FlowFixation
reveals the broader problem of a shared parent domain between
different customers (deep dive later)
- We all use cloud, but we don’t always remember our “roommates”
- Overlooked Security Measures: Examining the Risks of Same-Site Attacks and Lapses in a Lesser-known guardrail
- Exposing a much broader problem in which major CSPs are at risk
- Web security architecture – a small detail with large implications: The
difference between a site and an origin - The risks of sharing a parent domain with EVERYBODY
- The mitigation guardrail: the Public Suffix List - inner workings, key
concepts - Research into the current state of PSL among cloud providers - AWS,
Azure and GCP: revealing numerous found misconfigured domains at
risk and the cloud providers’ response - one took immediate action,
one took time thinking about it and then decided to push a fix, and the
third decided not to take action - Providing case-studies of two other high-severity vulnerabilities
published by other security researchers (other than FlowFixation)
that could have been prevented- The interesting thing to note here is that the researchers in that
case did not note that implementing and using the PSL better
could have prevented the vulnerability, and that implementation
wasn’t fixed even after the vulnerability was fixed
- The interesting thing to note here is that the researchers in that
- FlowFixation research deep dive
- Evaluating the impact of the FlowFixation vulnerability
- What is Apache Airflow and what is AWS MWAA?
- Showcasing statistics from our customer database of AWS
MWAA prevalence (20% of our customers are using the service)
- Technical breakdown
- Session management abuse
- Cookies can be set to a parent domain (by abusing a
misconfigured domain not present in the PSL) - Reaping the rewards
- Research story deep dive
- Apache Airflow Authentication
- Session handling misconfiguration
- Abuse idea - cookie tossing and PSL research
- Browser cookie handling obstacle
- Technical Exploit Flow + a recorded demo of the vulnerability
- Remote Code Execution (RCE) Risks
- Lateral Movement to Other Services
- Evaluating the impact of the FlowFixation vulnerability
- Takeaways
- The role of cloud providers and cloud customers
- Cloud customers awareness and best practices, actionable steps for
cloud customers to take home - Need for proactive engagement with community resources
Cloud services host customer-specific data under a shared parent domain (i.e. same site), leading to issues like account hijacking and leaks. I will introduce a lesser-known community-driven solution (PSL), along with my unique research on the current threat landscape in the major cloud providers with numerous domains found to be at risk.
There is not much awareness for the PSL and for the risks associated with neglecting it except for some prior work on same-site attacks, which did not reveal the current cloud providers posture. I will spotlight high-severity vulnerabilities that could have been avoided by implementing this guardrail and emphasize how collaborating with community-driven solutions can be game-changing.
Moreover, the shared parent domain risk and the PSL importance is backed up by revealing my newly discovered AWS service takeover vulnerability dubbed ‘FlowFixation’ and deep diving into its technical components and research.
Takeaways:
- Cloud providers and their respective cloud services often segment customers by subdomains. Using a shared parent domain and different subdomains as customer data segmentation, plus services that allow client-side code execution, can lead to potential security vulnerabilities
- The FlowFixation vulnerability serves as a reminder that a proactive and preventive approach to security is essential, it supports the notion that a collaborative, community-focused approach strengthens cloud security and can help prevent past and future vulnerabilities, and risks
- Adding sites to the PSL is an effective and lesser-known guardrail but cloud customers are at the mercy of their cloud provider to act on this preventive approach. At the same time, cloud customers have the responsibility for securing their web applications in the cloud to minimize risks.
- Check if the service domain you are using is present in the PSL, if not, for AppSec Engineers - note the risks mentioned and take care by assuming every same-site request is untrustworthy. For cloud practitioners - contact your Technical Account Manager and request to input the neglected service domain into the PSL.
Liv Matan (@terminatorLM) is a Senior Security Researcher at Tenable, where he specializes in application and web security. He previously worked as a Security Researcher at Ermetic and served in the Israeli Intelligence Corps as a Software Developer.
As a bug bounty hunter, Liv has found several vulnerabilities in popular software platforms, such as Azure, Google Cloud, AWS, Facebook and Gitlab, was recognized by Microsoft as a Most Valuable Researcher, and has presented at conferences such as DEF CON Cloud Village and fwd:cloudsec.
Liv studied computer science at the Weizmann Institute of Science, in Israel. In his free time, he boxes, lifts weights and plays Capture the Flag (CTF).