AWS Cross Tenant Confused Deputy Vulnerability

A cross-tenant vulnerability in AWS could be exploited and have allowed attackers to abuse AWS AppSync service to assume IAM and gain access to resources in an organization’s account.

The AppSync service allows developers to create GraphQL and Pub/Sub APIs, each with an associated data source, as well as to invoke AWS APIs directly, creating integrations with AWS services, which requires defining roles with IAM permissions.

The vulnerability is described as the confused deputy problem, because it allows a less-privileged entity to trick a more-privileged entity to perform specific actions on its behalf.

To prevent such attacks, during the creation of a data source, AWS validates the role’s unique identifier called Amazon Resource Name (ARN) against the AWS account. If they do not match, the API displays an error.

The API would accept JSON payloads with properties that used mixed case during validation. The ARN is passed in the serviceRoleArn parameter that could be used to bypass the validation process if provided in a different casing.

This flaw could be exploited to create AppSync APIs data sources pointing to resources in other AWS accounts, essentially accessing data in those accounts.

A working PoC code targeting the vulnerability was published, and it was reported to AWS on September 1 and a patch was rolled out by September 6.

AWS notes, no customers were affected by this issue, and no customer action is required.

This research was documented by researchers from Datadog