A group of German researchers from Ruhr-University Bochum, NEC Europe, and Cologne University found holes in Amazon Web Services' (AWS) cloud architecture that allowed hackers to become administrators and then access user data, according to a paper published by the researchers. AWS was informed of the flaws and has fixed them.
The ongoing issue is that similar flaws may exist in other cloud architectures. Not only are public clouds at risk, those enterprises planning or operating private clouds are at risk as well. The potential danger for private cloud may be greater because of the dependence on cloud products that may not have the same level support as found at AWS.
The researches have published a paper, "All Your Clouds are Belong to us--Security Analysis of Cloud Management Interfaces". The paper was published by the Association of Computing Machinery (ACM). The paper focuses on Amazon's EC2 and S3 control interfaces; it does not analyze other cloud services or products. It discussed the attacks performed, the vulnerability analysis, attack prerequisites, attack rationale, and assessment. The paper even provides an attack scenario for Twitter that demonstrates that many high profile and popular applications that use AWS were susceptible to these attacks. The paper has a long list of useful references to support its conclusions.
The paper is highly technical in content. For most readers of NoJitter, the content may appear to be beyond their interest. However, since many enterprises have moved applications to the cloud or are considering a private cloud, the content and conclusions are very relevant.
When I performed my survey of cloud based communications providers, Cloud/Hosted Communications Providers: Survey Results, I located more than one provider that uses the Amazon EC2 as their platform to deliver their communications features and functions. This means that the enterprise should be aware of this class of vulnerabilities and discuss them with their cloud communications service provider.
The researchers used a technique called "signature wrapping". XML signature wrapping is defined at WS-Attacks.org as follows:
"Web services offer designers enormous flexibility when it comes to employing integrity features. Usually in order to guarantee message integrity, certain predefined parts of the SOAP [Simple Object Oriented Protocol] message get signed. Let's assume that a web service client sends a signed message to the receiving web service. Ideally any malicious modification of the signed data is detected by the receiving web service unless the attacker is able to break the signature algorithm itself. However, when executing a XML Signature Wrapping attack, an attacker is able to change the content of the signed part without invalidating the signature."
The control interfaces can then be compromised with signature wrapping. The result of signature wrapping is that the party that has gained administrative access can create, change, and delete user data while appearing to be legitimate.
A second form of attack was analyzed that deals with browser based front ends. Cross Site Scripting (XSS) allows an attacker to perform an automated attack that steals user names and passwords from AWS.
This paper demonstrates that as complexity increases in the cloud so do vulnerabilities. Control interfaces have become very attractive targets. Fortunately, the paper also provides a number of countermeasures that can be employed by the cloud architects, designers and operators, whether the cloud is public or private.
