The vulnerability, now addressed by AWS, has been codenamed FlowFixation by Tenable.
“Upon taking over the victim’s account, the attacker could have performed tasks such as reading connection strings, adding configurations and triggering directed acyclic graphs (DAGS),” senior security researcher Liv Matan said in a technical analysis.
“Under certain circumstances such actions can result in RCE on the instance that underlies the MWAA, and in lateral movement to other services.”
The root cause of the vulnerability, per the cybersecurity firm, is a combination of session fixation on the web management panel of AWS MWAA and an AWS domain misconfiguration that results in a cross-site scripting (XSS) attack.
Session fixation is a web attack technique that occurs when a user is authenticated to a service without invalidating any existing session identifiers. This permits the adversary to force (aka fixate) a known session identifier on a user so that, once the user authenticates, the attacker has access to the authenticated session.
The shortcoming has been addressed by both AWS and Azure adding the misconfigured domains to PSL, thus causing web browsers to recognize the added domains as a public suffix. Google Cloud, on the other hand, has described the issue as not “severe enough” to merit a fix.
In the case of same-site attacks, the security impact of the mentioned domain architecture is significant, with heightened risk of such attacks in cloud environments, Matan explained.
Among these, cookie-tossing attacks and same-site attribute cookie protection bypass are particularly concerning as both can circumvent CSRF protection. Cookie-tossing attacks can also abuse session-fixation issues.