A vulnerability in a library created by network virtualization firm Eltima and used by a variety of vendors, including Amazon has left more than a dozen cloud services vulnerable to a privilege escalation attack.
The vulnerabilities in Eltima’s SDK for virtual networking which is used by a variety of cloud-based virtualization services, including Amazon’s WorkSpaces agent, its Nimble Studio AMI, and Eltima’s USB Network Gate could allow an attacker to execute code in the kernel through a buffer overflow to gain higher privileges.
The ability to elevate privileges to kernel or root would allow malicious software to turn off security products and gain access to sensitive information that would otherwise be protected.
The impact of a single SDK on more than a dozen services shows the problems posed by supply chain risks, Vulnerabilities in a common SDK are being inherited by software products that rely on it, an event that has become increasingly common. API, common way to allow developers to use code as a service also have become a source of supply chain vulnerabilities.
The latest vulnerabilities found are not in the various services themselves but in the USB over Ethernet functionality, which is included in the Eltima SDK. The security flaws not only affect client systems, such as laptops and desktops running Amazon WorkSpaces software, but also cloud-based machine instances running that are using services, such as Amazon Nimble Studio AMI.
Vulnerabilities in third-party code have the potential to put huge numbers of products, systems, and ultimately, end user to at risk, as we’ve noted before.The outsized effect of vulnerable dependency code is magnified even further when it appears in services offered by cloud providers.
The vulnerabilities occur because the code does not check calls to validate, probe, lock, or map the buffer and affects software from Amazon, Accops, Eltima, Amzetta, and NoMachine.
Companies should urge their cloud virtualization service provider to check whether they use the Eltima USB over Ethernet library, even if the company is not listed among the affected vendors. Amazon Web Services customers can check their maintenance settings, while Accops and NoMachine both have released advisories.