Cybersecurity researchers have shared details of a now-patched security vulnerability in Amazon Web Services (AWS) managed workflows for Apache Airflow (MWAA) that could potentially be exploited by a malicious actor to hijack victims’ sessions and achieve remote code execution on the underlying instances.
The vulnerability, now fixed by AWS, has been given a code name Flow fixation by Tenable.
“After taking over the victim’s account, the attacker may have performed activities such as reading connection strings, adding configurations, and triggering directed acyclic graphs (DAGS),” senior security researcher Liv Matan said in a technical analysis .
“In certain circumstances such actions may result in an RCE on the application underpinning the MWAA and a lateral move to other services.”
The root cause of the vulnerability, according to the cybersecurity firm, is a combination of session fixing on the AWS MWAA web management panel and a misconfiguration of the AWS domain that results in a cross-site scripting (XSS) attack .
Session fixation is a web attack technique that occurs when a user is authenticated to a service without invalidating any existing session identifiers. This allows the adversary to force (i.e., fix) a known session identifier on a user so that once the user is authenticated, the attacker has access to the authenticated session.
By abusing this loophole, the threat actor could have forced victims to use and authenticate the attacker’s known session and ultimately take over the victim’s web management panel.
“FlowFixation highlights a broader issue with the current state of cloud providers’ domain architecture and management as it relates to the Public Suffix List (PSL) and shared root domains: same-site attacks,” Matan said, adding that the misconfiguration also impacts Microsoft Azure and Google Cloud.
Tenable also pointed out that shared architecture, where several customers have the same primary domain, could be a gold mine for attackers looking to exploit vulnerabilities such as same-site attacks, cross-origin issues and cookie throwing, effectively leading to unauthorized access, data leaks and code execution.
The issue was addressed by both AWS and Azure by adding the incorrectly configured domains to PSL, causing web browsers to recognize the added domains as a public suffix. Google Cloud, on the other hand, described the issue as not “serious enough” to merit a fix.
“In the case of same-site attacks, the security impact of the mentioned domain architecture is significant, with a higher risk of such attacks in cloud environments,” Matan explained.
“Among them, cookie-throwing attacks and cookie protection bypass on same-site attributes are particularly concerning since both can bypass CSRF protection. Cookie-throwing attacks can also abuse session fixing issues. “