Researchers find "large" security vulnerabilities in various cloud architectures

German researchers say they found errors in Amazon Web Services (AWS), and they believe that similar errors exist in many cloud architectures that could lead to an attacker acquiring administrative privileges to steal data from all users.

While the researchers say they have informed AWS about these vulnerabilities, and AWS has fixed them, they think the same type of attack is equally effective for other cloud services, "because the relevant Web service standards do not match performance and security." ”

A team of researchers at the University of Bochum in Germany used multiple XML signature encapsulation attacks to gain administrator privileges on a number of customer accounts, and then create a new instance of the customer cloud that can add mirrors or remove mirrors. On another occasion, the researchers also used Cross-site scripting to attack the Open-source private cloud software framework Eucalyptus.

They also found Amazon's services vulnerable to Cross-site scripting attacks.

"It's not just Amazon's problem," says Juraj Somorovsky, one of the researchers. "These attacks are common types of attacks. This means that the public cloud is not as safe as it looks. These problems can also be found in other cloud architectures. ”

Somorovsky says they are developing a high-performance library, coupled with XML security, to eliminate vulnerabilities that might be exploited by XML signature encapsulation attacks. The work will be finished sometime next year. AWS acknowledges the possibility of a signature-encapsulation attack and says it has worked with the Ruhr University to correct the problems they found. "No customer has been affected," a AWS spokesman said in an e-mail. It must be noted that this potential vulnerability relates only to a small portion of authorized AWS API calls, and is only part of a non-SSL endpoint invocation, not as reported as a potentially widely spread vulnerability. ”

AWS has released a list of best practices to follow best practices, and customers can avoid such attacks and other types of attacks that are discovered by the LU University team. The following is the best time list that AWS releases:

Use only the HTTPS endpoint based on SSL security to invoke the AWS service to ensure that the client application executes the appropriate peer authentication program. The proportion of all AWS API calls to non-SSL endpoints is minimal, and AWS may not support the use of non-SSL API endpoints in the future.

Multi-factor authentication (MFA) is best used when accessing the AWS Management Console.

Create an identity and access management (IAM) account that has limited roles and responsibilities and is open only to accounts with special resource requirements.

Limited API access, deeper interaction with source IP, using IAM source IP policy restrictions.

Periodically rotate AWS certificates, including Keys, X.509 certifications, and KeyPair.

When using the AWS Management console, try to avoid interacting with other sites, allowing only safe internet browsing behavior.

AWS customers should also consider using API access mechanisms without SAOP, such as Rest/query.

(Responsible editor: The good of the Legacy)