A recent discovery by Miggo Research has unveiled a critical configuration vulnerability in Amazon Web Services (AWS) that exposes thousands of web applications to potential attacks.
This vulnerability, dubbed “ALBeast,” affects applications using AWS’s Application Load Balancer (ALB) authentication feature, particularly those not adhering to the updated AWS documentation following Miggo’s disclosure.
The ALBeast vulnerability arises from misconfigurations and MIS implementations in the ALB authentication feature. Specifically, attackers can exploit applications that are misconfigured as ALB target groups and accessible directly.
The vulnerability allows attackers to bypass authentication and authorization mechanisms by forging JSON Web Tokens (JWTs) used in the ALB authentication process.
Free Webinar on Detecting & Blocking Supply Chain Attack -> Book your Spot
Applications that are directly accessible, bypassing the ALB, are susceptible to attacks. Attackers can manipulate the JWT by using a shared public key server for all AWS accounts in a region to set an arbitrary key ID (kid). This allows the attacker to supply a public key that the application uses to validate the forged JWT.
Until recently, AWS’s documentation did not include guidance on validating a token’s signer, a crucial step to ensure that the trusted ALB signs the token.
This oversight leaves applications vulnerable to accepting attacker-crafted tokens. Notably, ALB tokens do not contain an audience (aud) field, complicating the validation process further.
Attackers can forge an authentic ALB-signed token with arbitrary identities, claims, and issuers using a controlled ALB. Applications that do not verify the identity issuer are particularly vulnerable to such attacks.
Miggo Research identified over 15,000 potentially vulnerable applications out of 371,000 using AWS ALB’s authentication feature. The majority of these applications lack the implementation to validate the signer of the JWT, leaving them exposed to the ALBeast attack.
AWS has updated its documentation to mitigate this vulnerability with best practices for configuring security group restrictions.
Validate the Signer: Ensure that the signer of the ALB JWT token is the expected ALB. AWS has provided code snippets to help developers implement this validation.
Restrict Access: Configure security groups to ensure that applications only receive traffic from the trusted ALB. This involves referencing the load balancer’s security group ID in the application’s security group settings.
AWS has acknowledged the vulnerability and updated its documentation to address the issues identified by Miggo Research. However, AWS has stated that the service operates as intended and that the shared responsibility model applies, meaning customers must follow the latest documentation and best practices to secure their applications.
The discovery of ALBeast highlights the importance of adhering to security best practices and the potential risks associated with cloud service configurations.
As cloud services become increasingly integral to business operations, ensuring robust security measures is crucial to protect against such vulnerabilities.
Miggo Research’s findings serve as a reminder of the critical role security researchers play in identifying and mitigating vulnerabilities, ultimately safeguarding the digital infrastructure that businesses rely on.
AWS Response
“It is incorrect to call this an authentication and authorization bypass of AWS Application Load Balancer (ALB) or any other AWS service because the technique relies on a bad actor already having direct connectivity to a misconfigured customer application that does not authenticate requests. We recommend customers configure their applications to only accept requests from their ALB by using security groups and by following the ALB security best practices. A small fraction of a percent of AWS customers have applications potentially misconfigured in this way, significantly fewer than the researchers’ estimate. We have contacted each one of these customers directly to share best practices for configuring applications which use ALB.” AWS spokesperson said.
Are you from SOC and DFIR Teams? Analyse Malware Incidents & get live Access with ANY.RUN -> Get 14 Days Free Access