AWS Account Takeover via Log4Shell (opens in new tab)

(gigasheet.co)

90 pointsnaltun4y ago35 comments

35 comments

21 comments · 5 top-level

yabones4y ago· 8 in thread

To me this is less about log4j, and more about giving everything root.

> The AWS account takeover was possible because a highly privileged IAM role had been assigned to the EC2 instance running the vulnerable Docker container app

The mistakes are, in order:

1. Binding an administrator IAM role to an EC2 instance, which is never ever a good thing to do, and

2. Running a docker container with full root privs - docker is not as much a security barrier as you think it is - it's only slightly better than running the application as root on the VM itself.

So yes, the log4j vulnerability is dangerous, but not nearly as dangerous as running everything as root all the time.

nrdvana4y ago

Both are problems, but to me the biggest facepalm goes to log4j because anyone in their right mind should assume that log messages are untrusted input and should absolutely never have been parsed for control sequences. It's another prime example of Java over-engineering everything that should have been simple.

adambatkin4y ago

Don't blame the language, blame the library. At least it's not part of the standard library - in C, if you accidentally pass a user-provided string to the first argument of printf() you could be in just as much trouble.

2 more replies

thrashh4y ago

Isn’t log input being untrusted input an opinion?

Because in an alternative universe, they could have chosen to treat log messages like SQL where parameters are passed separately.

Obviously some people must believe that logs should be trusted input, otherwise we wouldn’t be in this situation.

That said I consider both logs and error exceptions as untrusted input, but purely on practicality.

1 more reply

fivea4y ago

> It's another prime example of Java (...)

Log4j is not java. In fact, you can have log4c# or log4rust or log4fortran with precisely the same design, and consequently the same design problems and vulnerabilities.

1 more reply

kristianpaul4y ago

Once again its no the vulnerability but how permissions are assigned to applications.

la64714y ago

Click bait title which the author gingerly clarifies in the article to be result of poor security practices. It is obvious isn’t it?

kristianpaul4y ago

That too, or he asumes everyone runs ec2 instances with Admin role as when people used to run LAMP as root…

1 more reply

nhoughto4y ago

If you bind ec2 and have any access in docker you likely can GET from ec2 metadata endpoint and get sts creds, don’t need root for that.

anonymouse0084y ago· 6 in thread

[Edit] too funny, the first three comments are all similar messages with three different communication styles (this one the most terse, I have much to learn)...

> The AWS account takeover was possible because a highly privileged IAM role had been assigned to the EC2 instance running the vulnerable Docker container app. While the Log4j2 vulnerability allowed initial access to the Docker container, the privileged IAM role enabled lateral movement and ultimately a total compromise of the AWS account.

Saving you a click... who would realistically give such a high permission set IAM to an EC2?

drunkpotato4y ago

AWS is so difficult to use securely by default that there is an entire thriving industry of vendors who will analyze your permissions and try to bring them down to meet the standard of principal of least privilege. I'm not at all surprised that there are many insecure environments and privilege escalation exploits; AWS is almost aggressively hostile to any attempts to use it securely.

mise_en_place4y ago

This is completely untrue. AWS offers many tools to audit credentials. It also has the policy simulator to see exactly what the impact of changes will be on a role.

1 more reply

jffry4y ago

Minimizing AWS permissions to just the set you need can be a royal pain in the ass. Many of the canned AWS-managed example policies end up giving either ANY action on a resource, or grant a handful of actions on ANY resource, (e.g. grant S3:* on some bucket, which inadvertently lets you delete the bucket too)

Simply reading the docs and attempting to divine the right subset of permissions can be nearly impossible. Usually you must guess, then exercise the software until it fails, then look in CloudTrail to see which permissions got denied, then try a new covering set, and repeat until nothing breaks. To say this is frustrating would be an understatement.

thelittleone4y ago

Because many people setting up AWS don't know this.

Perhaps AWS should create a giant red alert that customers must acknowledge before applying such a configuration.

ThalesX4y ago

Where would the giant red alerts stop? They already have it for S3 after so many people left their buckets open. But is it also not our responsability to properly understand the tools we use?

2 more replies

callmeal4y ago

>Saving you a click... who would realistically give such a high permission set IAM to an EC2?

The same people who think docker/k8s is what everyone should use and that java is a slow language?

tokamak-teapot4y ago· 1 in thread

Advert for gigasheet

mfollert4y ago

It really is ...

ff7c114y ago· 1 in thread

So if they didn't create a new user account and IAM account what would you see? If they just used the remote shell and the installed aws cli e.g. `aws s3 ls` would you be able to detect it? This article is an ad.

jffry4y ago

You'd still see the activity of that machine in AWS CloudTrail logs.

From [1]: "CloudTrail records two types of events: Management events capturing control plane actions on resources such as creating or deleting Amazon Simple Storage Service (Amazon S3) buckets, and data events capturing data plane actions within a resource, such as reading or writing an Amazon S3 object.

[1] https://aws.amazon.com/cloudtrail/features/

cddotdotslash4y ago

This is a helpful writeup in terms of specific queries to look out for, but any RCE on a host with privileged IAM access is going to lead to this scenario.

> The AWS account takeover was possible because a highly privileged IAM role had been assigned to the EC2 instance running the vulnerable Docker container app

This attack isn't unique to Log4Shell; it's a symptom of giving your (compromised) EC2 instance global admin access.

j / k navigate · click thread line to collapse

35 comments

21 comments · 5 top-level

yabones4y ago· 8 in thread

To me this is less about log4j, and more about giving everything root.

> The AWS account takeover was possible because a highly privileged IAM role had been assigned to the EC2 instance running the vulnerable Docker container app

The mistakes are, in order:

1. Binding an administrator IAM role to an EC2 instance, which is never ever a good thing to do, and

2. Running a docker container with full root privs - docker is not as much a security barrier as you think it is - it's only slightly better than running the application as root on the VM itself.

So yes, the log4j vulnerability is dangerous, but not nearly as dangerous as running everything as root all the time.

nrdvana4y ago

adambatkin4y ago

2 more replies

thrashh4y ago

Isn’t log input being untrusted input an opinion?

Because in an alternative universe, they could have chosen to treat log messages like SQL where parameters are passed separately.

Obviously some people must believe that logs should be trusted input, otherwise we wouldn’t be in this situation.

That said I consider both logs and error exceptions as untrusted input, but purely on practicality.

1 more reply

fivea4y ago

> It's another prime example of Java (...)

Log4j is not java. In fact, you can have log4c# or log4rust or log4fortran with precisely the same design, and consequently the same design problems and vulnerabilities.

1 more reply

kristianpaul4y ago

Once again its no the vulnerability but how permissions are assigned to applications.

la64714y ago

Click bait title which the author gingerly clarifies in the article to be result of poor security practices. It is obvious isn’t it?

kristianpaul4y ago

That too, or he asumes everyone runs ec2 instances with Admin role as when people used to run LAMP as root…

1 more reply

nhoughto4y ago

If you bind ec2 and have any access in docker you likely can GET from ec2 metadata endpoint and get sts creds, don’t need root for that.

anonymouse0084y ago· 6 in thread

[Edit] too funny, the first three comments are all similar messages with three different communication styles (this one the most terse, I have much to learn)...

Saving you a click... who would realistically give such a high permission set IAM to an EC2?

drunkpotato4y ago

mise_en_place4y ago

This is completely untrue. AWS offers many tools to audit credentials. It also has the policy simulator to see exactly what the impact of changes will be on a role.

1 more reply

jffry4y ago

thelittleone4y ago

Because many people setting up AWS don't know this.

Perhaps AWS should create a giant red alert that customers must acknowledge before applying such a configuration.

ThalesX4y ago

Where would the giant red alerts stop? They already have it for S3 after so many people left their buckets open. But is it also not our responsability to properly understand the tools we use?

2 more replies

callmeal4y ago

>Saving you a click... who would realistically give such a high permission set IAM to an EC2?

The same people who think docker/k8s is what everyone should use and that java is a slow language?

tokamak-teapot4y ago· 1 in thread

Advert for gigasheet

mfollert4y ago

It really is ...

ff7c114y ago· 1 in thread

jffry4y ago

You'd still see the activity of that machine in AWS CloudTrail logs.

[1] https://aws.amazon.com/cloudtrail/features/

cddotdotslash4y ago

This is a helpful writeup in terms of specific queries to look out for, but any RCE on a host with privileged IAM access is going to lead to this scenario.

> The AWS account takeover was possible because a highly privileged IAM role had been assigned to the EC2 instance running the vulnerable Docker container app

This attack isn't unique to Log4Shell; it's a symptom of giving your (compromised) EC2 instance global admin access.

j / k navigate · click thread line to collapse