Amazon Web Services has resolved a cross-tenant vulnerability in its platform that could be weaponized by an attacker to gain unauthorized access to resources.
“This attack abuses the AppSync service to assume roles in other AWS accounts, which allows an attacker to pivot into a victim organization and access resources in those accounts,” Datadog researcher Nick Frichette said in a report published last week.
AWS AppSync offers developers GraphQL APIs to retrieve or modify data from multiple data sources as well as automatically sync data between mobile and web applications and the cloud.
The service can also be used to integrate with other AWS services through specific roles designed to perform the necessary API calls with the required IAM permissions.
While AWS does have safeguards in place to prevent AppSync from assuming arbitrary roles by validating the role’s Amazon Resource Name, the problem stems from the fact that the check could be trivially bypassed by passing the “ServiceRoleArn” parameter in a lower case.
“This vulnerability in AWS AppSync allowed attackers to cross account boundaries and execute AWS API calls in victim accounts via IAM roles that trusted the AppSync service,” Frichette said.
