A recent discovery by Miggo Research has unveiled a critical configuration vulnerability in Amazon Web Services (AWS) that exposes thousands of web applications to potential attacks.
This vulnerability, dubbed “ALBeast,” affects applications using AWS’s Application Load Balancer (ALB) authentication feature, particularly those not adhering to the updated AWS documentation following Miggo’s disclosure.
The ALBeast vulnerability arises from misconfigurations and MIS implementations in the ALB authentication feature. Specifically, attackers can exploit applications that are misconfigured as ALB target groups and accessible directly.
The vulnerability allows attackers to bypass authentication and authorization mechanisms by forging JSON Web Tokens (JWTs) used in the ALB authentication process.
Free Webinar on Detecting & Blocking Supply Chain Attack -> Book your Spot
Applications that are directly accessible, bypassing the ALB, are susceptible to attacks. Attackers can manipulate the JWT by using a shared public key server for all AWS accounts in a region to set an arbitrary key ID (kid). This allows the attacker to supply a public key that the application uses to validate the forged JWT.
Until recently, AWS’s documentation did not include guidance on validating a token’s signer, a crucial step to ensure that the trusted ALB signs the token.
This oversight leaves applications vulnerable to accepting attacker-crafted tokens. Notably, ALB tokens do not contain an audience (aud) field, complicating the validation process further.
Attackers can forge an authentic ALB-signed token with arbitrary identities, claims, and issuers using a controlled ALB. Applications that do not verify the identity issuer are particularly vulnerable to such attacks.
Miggo Research identified over 15,000 potentially vulnerable applications out of 371,000 using AWS ALB’s authentication feature. The majority of these applications lack the implementation to validate the signer of the JWT, leaving them exposed to the ALBeast attack.
AWS has updated its documentation to mitigate this vulnerability with best practices for configuring security group restrictions.
Validate the Signer: Ensure that the signer of the ALB JWT token is the expected ALB. AWS has provided code snippets to help developers implement this validation.
Restrict Access: Configure security groups to ensure that applications only receive traffic from the trusted ALB. This involves referencing the load balancer’s security group ID in the application’s security group settings.
AWS has acknowledged the vulnerability and updated its documentation to address the issues identified by Miggo Research. However, AWS has stated that the service operates as intended and that the shared responsibility model applies, meaning customers must follow the latest documentation and best practices to secure their applications.
The discovery of ALBeast highlights the importance of adhering to security best practices and the potential risks associated with cloud service configurations.
As cloud services become increasingly integral to business operations, ensuring robust security measures is crucial to protect against such vulnerabilities.
Miggo Research’s findings serve as a reminder of the critical role security researchers play in identifying and mitigating vulnerabilities, ultimately safeguarding the digital infrastructure that businesses rely on.
Are you from SOC and DFIR Teams? Analyse Malware Incidents & get live Access with ANY.RUN -> Get 14 Days Free Access