Dubbed “Superglue” by the Orca Security Research Team, the bug was made possible by an internal misconfiguration within the service.
AWS Glue is a serverless data integration service that allows customers to discover and combine data for machine learning, analytics and app development. Given that it can access large volumes of potentially sensitive data, it could be an attractive target for hackers.
“During our research, we were able to identify a feature in AWS Glue that could be exploited to obtain credentials to a role within the AWS service’s own account, which provided us full access to the internal service API,” Orca Security explained.
“In combination with an internal misconfiguration in the Glue internal service API, we were able to further escalate privileges within the account to the point where we had unrestricted access to all resources for the service in the region, including full administrative privileges.”
The vendor claimed to have been able to assume roles in AWS customer accounts that are trusted by Glue and query and modify AWS Glue service-related resources in a region. These included Glue jobs, dev endpoints, workflows, crawlers and triggers.
The research team was at pains to point out that it only used its own accounts for this project and that no AWS Glue customers were compromised as a result.
AWS worked swiftly with the team to fix the problem.
“Today, Orca Security, a valued AWS partner, helped us detect and mitigate a misconfiguration before it could impact any customers,” explained AWS principal engineer Anthony Virtuoso.
“We greatly appreciate their talent and vigilance, and we would like to thank them for the shared passion of protecting AWS customers through their findings.”
The same research team revealed a second vulnerability in AWS this week dubbed “BreakingFormation.”
Also now fixed by AWS, this zero-day bug could have allowed attackers to leak sensitive files on targeted service machines and grab credentials related to internal AWS infrastructure services.
Return to cybersecurity news
- UK bans Chinese CCTV cameras at ‘sensitive’ government locations - 26 November 2022
- Chrome Update: Exploited Zero-Day Vulnerability fixed by Google, the 8th this year - 25 November 2022
- RESEARCH: analytics information related to iPhones include a Directory Services Identifier (DSID) that may be used to identify users - 24 November 2022