Cybersecurity researchers have shared details of a now-patched security flaw in Amazon Web Services (AWS) Managed Workflows for Apache Airflow (MWAA) that could allow malicious actors to hijack a victim’s session and perform Implement remote code execution on the instance.
The vulnerability has now been addressed by AWS, codenamed flow fixed Provided by Tenable.
Senior security researcher Liv Matan said in a technical analysis: “After taking over the victim’s account, the attacker may perform tasks such as reading connection strings, adding configurations and triggering directed acyclic graphs (DAGS).”
“In some cases, such behavior may result in RCE on the MWAA base instance and lateral movement to other services.”
According to the cybersecurity firm, the root cause of the vulnerability is a combination of session fixation on the AWS MWAA web management panel and an AWS domain configuration misconfiguration, leading to a cross-site scripting (XSS) attack.
Session fixation is a network attack technique that occurs when a user authenticates with a service without invalidating any existing session identifiers. This allows an attacker to force (also known as pinning) a session identifier known to the user so that once the user authenticates, the attacker can access the authenticated session.
By exploiting this flaw, a threat actor could force a victim to use and authenticate a known session of the attacker, and ultimately take over the victim’s web admin panel.
“FlowFixation highlights a broader issue with the current state of cloud provider domain architecture and management as it relates to Public Suffix Lists (PSLs) and shared parent domains: same-site attacks,” Matan said, adding that misconfigurations can also impact Microsoft Azure and Google Cloud.
Tenable also noted that shared architectures (where multiple customers have the same parent domain) can be a gold mine for attackers to exploit vulnerabilities such as same-site attacks, cross-origin issues, and cookie throwing, effectively leading to unauthorized access, data and data leakage. Leakage and code execution.
AWS and Azure addressed this flaw by adding a misconfigured domain to the PSL, causing web browsers to recognize the added domain as a public suffix. Google Cloud, on the other hand, described the issue as “not serious enough” to be worth fixing.
“In the case of same-site attacks, the security impact of the above domain architecture is significant, and the risk of such attacks is higher in cloud environments,” Matan explained.
“Of these, cookie-tossing attacks and same-site attribute cookie protection bypasses are particularly concerning because both can bypass CSRF protection. Cookie-tossing attacks can also abuse session fixation issues.”
