Miggo Uncovers AWS Load Balancer Security Flaw
Miggo has discovered a configuration-based vulnerability that enables cybercriminals to bypass authentication and authorization services provided by the Application Load Balancer (ALB) from Amazon Web Services (AWS) that could affect more than 15,000 potentially vulnerable applications.
AWS has since updated its documentation to advise IT teams to not set an arbitrary key ID that could provide access to all AWS accounts in a region using a forged JSON Web token (JWT).
Miggo CEO Daniel Shechter said this misconfiguration, dubbed ALBeast, can only be mitigated by adopting best practices to ensure that cybercriminals are not creating an authentic ALB token to access applications. In effect, thwarting this attack vector falls to IT and cybersecurity teams under the shared responsibility model that AWS and other cloud services providers have adopted, he noted.
ALB verifies the original issuer and stores it in the encrypted cookie. However, on follow-up requests, ALB uses the new issuer from the ALB configuration without validating it against the original issuer. In an ideal world, AWS should modify ALB to retrieve and validate the original issuer from the encrypted cookie, noted Schecter. Fundamentally, it’s an AWS design issue, he added.
ALBeast is the latest in a series of cloud configuration issues that regularly confound cybersecurity teams. While cloud service providers typically ensure their platforms are secure, there is no shortage of opportunities for IT organizations to misconfigure cloud services in a way that makes it easy for cybercriminals to gain access to data.
The challenge that organizations regularly encounter is the application developers that programmatically provision cloud services such as ALB lac cybersecurity expertise. As a result, misconfiguration of cloud services is rampant.
Unfortunately, understaffed cybersecurity teams lack the resources and expertise required to remediate cloud misconfigurations that cybercriminals have become especially adept at scanning for every time a cloud service is updated.
More challenging still, cybercriminals increasingly employ best DevOps practices to maliciously exploit cloud misconfigurations.
Miggo recently emerged from stealth to launch a namesake application detection and response (ADR) platform that enables IT teams to respond to cyberattacks in near real-time. The Miggio platform continuously analyzes application interactions and data flows to identify anomalous behavior indicative of a cyberattack. It then automatically applies mitigations to limit the scope of the attack before a major breach ensues.
It’s not clear how responsibility for application security will evolve going forward. In theory, at least, DevSecOps teams are taking more responsibility for building and deploying more secure applications, which includes preventing developers from misconfiguring cloud services. However, after an application is deployed it’s often the cybersecurity team that is held accountable.
The challenge, as always, is securing the funding needed to address cloud security when no one is certain who is responsible. Too often, application development teams assume cybersecurity teams are responsible for cloud security only to discover most of their resources were allocated to network and endpoint security. Conversely, many cybersecurity teams assume application development teams are responsible for securing the infrastructure they invoke. In the absence of any clear assignment of responsibility, it’s little wonder that mistakes continue to persist.