Researchers find holes in the cloud
Until recently, a vulnerability in Amazon Web Services including the EC2 cloud allowed unauthorised users to perform administrative tasks. At an ACM workshop on cloud security, a team of researchers from Germany's Ruhr University of Bochum led by professor Jörg Schwenk reported that attackers were, for example, able to start and stop virtual machines, and create new images and gateways, in an EC2 instance.
In their presentation entitled "All Your Clouds are Belong to us", the researchers explained how an XML signature attack can be used to manipulate SOAP messages in such a way that EC2 will consider them authentic and intact. This attack type was first described in 2005 and exploits the fact that signed partial XML documents continue to be considered as having been signed correctly even after having been modified.
Attackers can move the signed partial tree and then inject specially crafted elements in the original location. The attack is successful if an application's signature verification and XML interpretation are handled separately and if the specially crafted, unsigned code is executed after verification. Apparently, this was the case with Amazon's SOAP interface. The security researchers said that a similar vulnerability also existed in the open source Eucalyptus software for operating private cloud installations.
Amazon also proved vulnerable to cross-site scripting (XSS) attacks. The researchers found it particularly problematic that, once a user has successfully logged into the store, a session for the AWS cloud service is created automatically. They said that a successful XSS attack on the store could potentially be exploited to take over an AWS session; this can be done by injecting a few lines of suitable JavaScript code into the Amazon store and was also demonstrated by the researchers.
The security holes they described were closed immediately after the researchers informed the Amazon and Eucalyptus developers.
See also:
- Researchers: XML encryption standard is insecure, a report from The H.
(crve)