AWS fixes “confused proxy” vulnerability in AppSync • The Register

Amazon Web Services (AWS) has fixed a cross-tenant flaw in AWS AppSync that could allow criminals to abuse this cloud service to assume identity and access management roles in other AWS accounts and then gain access and control over those resources gain.

Datadog security researchers identified the bug and reported it to AWS on September 1st. Five days later, the tech giant released a fix for the AppSync service that Datadog confirmed solved the problem.

According to AWS, no customers were affected by the vulnerability and no customer action is required.

In a statement released Monday, cloud service provider thanked Datadog for reporting the “case-sensitive parsing issue” in AppSync.

“AWS immediately attempted to fix this issue when it was reported,” it said. “An analysis of the logs dating back to the launch of the service was performed and we have concluded that the only activity related to this issue occurred between accounts owned by the researcher. No other customer accounts were affected.”

AWS AppSync provides a GraphQL interface for application developers to combine data from Amazon DynamoDB, AWS Lambda, and external APIs like Datadog. In addition to predefined data sources, developers can build integrations to allow AppSync to call APIs directly by creating a role that grants AppSync the necessary Identity and Access Management (IAM) permissions.

Because Datadog is integrated with AppSync, the company’s security researchers wanted to see if they could get the AWS service to take on a role and then access and control resources from other data sources.

In a proof of concept, they described it as a “confused proxy problem,” where an attacker convinces a higher-privileged service — in this case, AppSync — to perform an action on the attacker’s behalf.

To that end, researchers found a way to bypass Amazon Resource Name (ARN) validation via a mixed JSON payload. Instead of a request with the normal case “serviceRoleArn”, they changed the request to lower case with “servicerolearn”.

After bypassing ARN validation, an attacker could “cross account boundaries and make AWS API calls in victim accounts through IAM roles that trust the AppSync service,” they wrote. “By using this method, attackers could breach organizations using AppSync and gain access to resources associated with those roles.”

Ultimately, this would give the attacker complete control over the victim’s resources, the researchers added: “This would allow the attacker to interact with that data source as if they owned it.” ®