November 30, 2023

Researcher at Lightspin security firm recently explained how she obtained credentials to an internal AWS service using a PostgreSQL extension and exploiting a local file read vulnerability on RDS. AWS confirmed the issue and deprecated dozens of minor versions of Amazon Aurora and RDS for PostgreSQL.

Advertisements

According to AWS, database users with sufficient permissions could use these credentials to gain elevated access to resources associated with the database cluster from which they were obtained and could not be used to access internal RDS services or move between databases or AWS accounts.

The log_fdw extension enables the user to access the database engine log using a SQL interface. I spent some time going over system files until found an interesting argument in the PostgreSQL config file that was not shown through using psql the apg_storage_conf_file which points to another configuration filename grover_volume.conf the file content points to another file  csd-grover-credentials.json

This file let the researcher retrieve the temporary identity and access management (IAM) credentials, including a  publicKey  and privateKey that she could test and confirm being connected to an internal role called csd-grover-role. Amiga concludes:

Within transiting three different files I was able to discover an internal AWS service and gain access to it. This is where my analysis and research ended. I did not attempt to enumerate any IAM permissions or move further laterally into AWS’ internal environment.

The vulnerability was reported to AWS on December 9th, more than four months ago, when the RDS team began working on investigation and remediation. AWS deployed an initial patch on the latest Aurora and RDS versions on December 14th, excluding older versions, and started to reach out to affected customers.

Advertisements

The AWS advisory did not initially mention Lightspin and the lack of attribution raised further  questions in the community. The announcement does not clarify what the internal service Grover is and how it works. Amiga confirms:

It is not anymore possible to create an Aurora PostgreSQL or RDS for PostgreSQL instance with one of the following deprecated minor versions:

Aurora PostgreSQL

  • 10.11, 10.12, 10.13
  • 11.6, 11.7, 11.8

RDS for PostgreSQL

  • 13.2, 13.1
  • 12.6, 12.5, 12.4, 12.3, 12.2
  • 11.11, 11.10, 11.9, 11.8, 11.7, 11.6, 11.5, 11.5, 11.4, 11.3, 11.2, 11.1
  • 10.16, 10.15, 10.14, 10.13, 10.12, 10.11, 10.10, 10.9, 10.7, 10.6, 10.5, 10.4, 10.3, 10.1
  • 9.6.21, 9.6.20, 9.6.19, 9.6.18, 9.6.17, 9.6.16, 9.6.15, 9.6.14, 9.6.12, 9.6.11, 9.6.10, 9.6.9, 9.6.8, 9.6.6, 9.6.5, 9.6.3, 9.6.2, 9.6.1
  • 9.5, 9.4 and 9.3

Leave a Reply

%d bloggers like this: