On January 13th, researchers from Orca Security published a vulnerability found in the AWS CloudFormation API, a service that helps users model and set up their AWS resources. The vulnerability allowed the researchers to get file and credential disclosure primitives on an internal AWS service and leverage these to leak sensitive files found on the CloudFormation vulnerable machines. The attack flow then continues to an SSRF (server side request forgery) leveraging the connectivity and permissions of the targeted service.
Following is a quick example of the resource section of a template, from AWS Labs on Github:
InstanceType: !Ref 'InstanceType'
SecurityGroups: [!Ref 'InstanceSecurityGroup']
KeyName: !Ref 'KeyName'
ImageId: !Ref 'LatestAmiId'
GroupDescription: Enable SSH access via port 22
- IpProtocol: tcp
CidrIp: !Ref 'SSHLocation'
As this points out, the template allows someone to easily define an EC2 instance, and add the instance's security groups, thus automating the procedure of creating a cloud formation to be easily deployed.
What is the BreakingFormation Vulnerability?
BreakingFormation is an XXE vulnerability (XML external entity injection) in the AWS API, which allows a user or company to easily control their AWS configuration using a RESTful API serviced by AWS. Orca’s researchers were able to exploit a bug in the way AWS renders template files, to trigger the vulnerability, which ultimately allowed them to gain access to credentials and also trigger requests from an AWS service to another server (SSRF) from an AWS service.
In addition to the disclosure of AWS service binaries, which are usually hidden from the eye of an AWS user, Orca was also able to leak private information belonging to AWS which makes us believe that in the case of a real threat actor such an attack scenario could have escalated even further.
XML evaluation and rendering issues and SSRF exploitations are a significant problem in today's world affecting companies of all sizes since they sometimes go unnoticed in the API development process, and are very hard to find once deployed.
API Inventory and Visibility is Critical to Securing an Organization
Cases such as BreakingFormation emphasize the urgent need for API security, because if such a vulnerability can be discovered and exploited on AWS it can happen to companies of all sizes. Organizations must be aware of each API in their API inventory, have real-time protection and prevention for malicious activity taken against their APIs, and apply the shift-left approach to test their APIs for various vulnerabilities and risks before they reach production and as part of their CI/CD pipeline.