
July 15, 2024
📋 Chef's weekly selections
Although the internet caught on fire last week, cyber fire fighters saved the day and the internet. Rest easy brave ASD diners, there are only 40 AWS Linux CVEs to chew on this week. You don’t see any CVEs in Red Star OS, do you. Time to switch?
Unrelated to very secure North Korean operating systems, we’re going to start publishing articles from veteran and aspiring AWS security chefs soon. Want to publish your work on awssecuritydigest.com? Send us a pitch to iwritegood@awssecuritydigest.com.
-
Somebody please make Rami McCarthy an employment offer he can’t refuse. I read slower than he writes awesome security blog posts. This week he surprises us with a not-so-awful AWS WAF use case - thwacking DDoS. Thwacking is good and so is this post. It’s a super practical way to do initial response to denial of service when you are limited by other options or need to do it on the cheap.
-
Poor mans MFA for AWS Client VPN
Unfortunately Ian Mckay made a typo in his blog post title this week. It should have read “Cursed MFA for AWS Client VPN”. It’s okay though, apparently if you put the AWS Client VPN, Slack, and thumbsup emoji in a pot and stir it, it comes out edible. You can improve Ian’s code by replacing 👍 with 🧑🍳.
-
Building the foundations: A defender’s guide to AWS Bedrock
I don’t include many AI related posts because they are generally hot garbage. However, Anton Ovrutsky soon to be formly of Sumo Logic, does a really good job describing some approaches to detecting malicious Bedrock usage. I’d love to see how they stack up in the real world
Bonus: Bonus: I highly recommend everyone regularly visit Cloud Security Lab a Week (S.L.A.W). It’s just a sweet way to learn AWS security.
🥗 AWS security blog
- AWS achieves third-party attestation of conformance with the Secure Software Development Framework (SSDF)
- Strategies for achieving least privilege at scale – Part 2
- Strategies for achieving least privilege at scale – Part 1
- Top four ways to improve your Security Hub security score
- Context window overflow: Breaking the barrier
- Centrally manage VPC network ACL rules to block unwanted traffic using AWS Firewall Manager
👾 r/aws
- AWS Managed KMS Keys and Service Coverage (With Repository of all the Key Policies)
- How to modify these CodeDeploy and CodePipeline on LightSail instructions?
- Need help starting open stack
- WebSockets Server on a Private VPC Subnet
- Examples of AWS Config Rules written in Guard?
- Opensearch security analytics alerts through SNS
🧁 IAM permission changes
- thinclient: 4 updated actions, 1 updated resource
- ivs: 4 new actions, 1 new resource | 3 updated actions
- bedrock: 24 new actions, 4 new resources | 3 updated actions
- license-manager-linux-subscriptions: 7 new actions, 1 new resource, 3 new conditions
- rds: 12 updated actions | 1 removed condition
- medical-imaging: 2 new actions
- cloudfront: 1 new action
- appstudio: 5 new actions
- sagemaker: 5 new actions, 1 new resource | 3 updated actions
- internetmonitor: 1 updated action
- mediaconvert: 1 new action
- payments: 1 updated resource
- qapps: 2 new actions, 4 new conditions | 21 updated actions
🍔 AWS API Changes
- AWS Batch - 4 updated methods - This feature allows AWS Batch Jobs with EKS container orchestration type to be run as Multi-Node Parallel Jobs.
- Amazon Bedrock - 3 updated methods - Add support for contextual grounding check for Guardrails for Amazon Bedrock.
- Agents for Amazon Bedrock - 21 new 10 updated methods - Add support for contextual grounding check for Guardrails for Amazon Bedrock.
- Agents for Amazon Bedrock Runtime - 3 new 3 updated methods - Add support for contextual grounding check for Guardrails for Amazon Bedrock.
- Amazon Bedrock Runtime - 1 new 2 updated methods - Add support for contextual grounding check for Guardrails for Amazon Bedrock.
- Amazon Elastic Compute Cloud - 6 updated methods - Add parameters to enable provisioning IPAM BYOIPv4 space at a Local Zone Network Border Group level
- AWS Glue - 5 updated methods - Add recipe step support for recipe node
- AWS License Manager Linux Subscriptions - 7 new 1 updated methods - Add support for third party subscription providers, starting with RHEL subscriptions through Red Hat Subscription Manager (RHSM). Additionally, add support for tagging subscription provider resources, and detect when an instance has more than one Linux subscription and notify the customer.
- AWS MediaConnect - 5 updated methods - AWS Elemental MediaConnect introduces the ability to disable outputs. Disabling an output allows you to keep the output attached to the flow, but stop streaming to the output destination. A disabled output does not incur data transfer costs.
- Amazon FSx - 18 updated methods - Adds support for FSx for NetApp ONTAP 2nd Generation file systems, and FSx for OpenZFS Single AZ HA file systems.
- Amazon OpenSearch Service - 7 updated methods - This release adds support for enabling or disabling Natural Language Query Processing feature for Amazon OpenSearch Service domains, and provides visibility into the current state of the setup or tear-down.
- Amazon SageMaker Service - 5 new 6 updated methods - This release 1/ enables optimization jobs that allows customers to perform Ahead-of-time compilation and quantization. 2/ allows customers to control access to Amazon Q integration in SageMaker Studio. 3/ enables AdditionalModelDataSources for CreateModel action.
- QApps - 23 new methods - This is a general availability (GA) release of Amazon Q Apps, a capability of Amazon Q Business. Q Apps leverages data sources your company has provided to enable users to build, share, and customize apps within your organization.
🍹 Updated AWS Managed IAM Policies
Managed Policy changed since last week: 7
☕︎ CloudFormation updates
No new resources.
🍪 Amazon Linux CVEs
- CVE-2024-6655 - gtk3: gtk2: Library injection from CWD
- CVE-2024-39493 - Resolved in Linux kernel: Acrypto: qat - Fix ADF_DEV_RESET_SYNC memory leak
- CVE-2024-39492 - Resolved in Linux kernel: Amailbox: mtk-cmdq: Fix pm_runtime_get_sync() warning in mbox shutdown
- CVE-2024-39491 - Resolved in Linux kernel: ALSA: hda: cs35l56: Fix lifetime of cs_dsp instance
- CVE-2024-6608 - It was possible to move the cursor using pointerlock from an iframe. This allowed moving the cursor outside of the viewport and the Firefox window. This vulnerability affects Firefox < 128.
- CVE-2024-6615 - Memory safety bugs present in Firefox 127. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 128.
- CVE-2024-6611 - A nested iframe, triggering a cross-site navigation, could send SameSite=Strict or Lax cookies. This vulnerability affects Firefox < 128.
- CVE-2024-6610 - Form validation popups could capture escape key presses. Therefore, spamming form validation messages could be used to prevent users from exiting full-screen mode. This vulnerability affects Firefox < 128.
- CVE-2024-6607 - It was possible to prevent a user from exiting pointerlock when pressing escape and to overlay customValidity notifications from a `<select>` element over certain permission prompts. This could be used to confuse a user into giving a site unintended permissions. This vulnerability affects Firefox < 128.
- CVE-2024-6606 - Clipboard code failed to check the index on an array access. This could have lead to an out-of-bounds read. This vulnerability affects Firefox < 128.
- CVE-2024-6605 - Firefox Android allowed immediate interaction with permission prompts. This could be used for tapjacking. This vulnerability affects Firefox < 128.
- CVE-2024-6612 - CSP violations generated links in the console tab of the developer tools, pointing to the violating resource. This caused a DNS prefetch which leaked that a CSP violation happened. This vulnerability affects Firefox < 128.
- CVE-2024-5569 - A Denial of Service (DoS) vulnerability exists in the jaraco/zipp library, affecting all versions prior to 3.19.1. The vulnerability is triggered when processing a specially crafted zip file that leads to an infinite loop.
- CVE-2024-6613 - The frame iterator could get stuck in a loop when encountering certain wasm frames leading to incorrect stack traces. This vulnerability affects Firefox < 128.
- CVE-2024-39684 - Tencent RapidJSON is vulnerable to privilege escalation due to an integer overflow in the `GenericReader::ParseNumber()` function of `include/rapidjson/reader.h` when parsing JSON text from a stream. An attacker needs to send the victim a crafted file which needs to be opened; this triggers the integer overflow vulnerability (when the file is parsed), leading to elevation of privilege.
- CVE-2024-6604 - Memory safety bugs present in Firefox 127, Firefox ESR 115.12, and Thunderbird 115.12. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 128 and Firefox ESR < 115.13.
- CVE-2024-6614 - The frame iterator could get stuck in a loop when encountering certain wasm frames leading to incorrect stack traces. This vulnerability affects Firefox < 128.
- CVE-2024-38517 - Tencent RapidJSON is vulnerable to privilege escalation due to an integer underflow in the `GenericReader::ParseNumber()` function of `include/rapidjson/reader.h` when parsing JSON text from a stream. An attacker needs to send the victim a crafted file which needs to be opened; this triggers the integer underflow vulnerability (when the file is parsed), leading to elevation of privilege.
- CVE-2024-37372 - The Permission Model assumes that any path starting with two backslashes \ has a four-character prefix that can be ignored, which is not always true. This subtle bug leads to vulnerable edge cases. This vulnerability affects Windows users of the Node.js Permission Model in version v22.x and v20.x
- CVE-2024-6600 - Due to large allocation checks in Angle for GLSL shaders being too lenient an out-of-bounds access could occur when allocating more than 8192 ints in private shader memory on mac OS. This vulnerability affects Firefox < 128 and Firefox ESR < 115.13.
- CVE-2024-38081 - .NET, .NET Framework, and Visual Studio Elevation of Privilege Vulnerability
- CVE-2024-3596 - RADIUS Protocol under RFC 2865 is susceptible to forgery attacks by a local attacker who can modify any valid Response (Access-Accept, Access-Reject, or Access-Challenge) to any other response using a chosen-prefix collision attack against MD5 Response Authenticator signature.
- CVE-2024-30105 - .NET Core and Visual Studio Denial of Service Vulnerability
- CVE-2024-6603 - In an out-of-memory scenario an allocation could fail but free would have been called on the pointer afterwards leading to memory corruption. This vulnerability affects Firefox < 128 and Firefox ESR < 115.13.
- CVE-2024-6601 - A race condition could lead to a cross-origin container obtaining permissions of the top-level origin. This vulnerability affects Firefox < 128 and Firefox ESR < 115.13.
- CVE-2024-6609 - When almost out-of-memory an elliptic curve key which was never allocated could have been freed again. This vulnerability affects Firefox < 128.
- CVE-2024-36137 - A vulnerability has been identified in Node.js, affecting users of the experimental permission model when the --allow-fs-write flag is used.
- CVE-2024-6237 - A flaw was found in the 389 Directory Server. This flaw allows an unauthenticated user to cause a systematic server crash while sending a specific extended search request, leading to a denial of service.
- CVE-2024-35264 - .NET and Visual Studio Remote Code Execution Vulnerability
- CVE-2024-22020 - A security flaw in Node.js allows a bypass of network import restrictions.
- CVE-2024-36138 - The CVE-2024-27980 was identified as an incomplete fix for the BatBadBut vulnerability. This vulnerability arises from improper handling of batch files with all possible extensions on Windows via child_process.spawn / child_process.spawnSync. A malicious command line argument can inject arbitrary commands and achieve code execution even if the shell option is not enabled.
- CVE-2024-6602 - A mismatch between allocator and deallocator could have lead to memory corruption. This vulnerability affects Firefox < 128 and Firefox ESR < 115.13.
- CVE-2024-22018 - A vulnerability has been identified in Node.js, affecting users of the experimental permission model when the --allow-fs-read flag is used. This flaw arises from an inadequate permission model that fails to restrict file stats through the fs.lstat API. As a result, malicious actors can retrieve stats from files that they do not have explicit read access to.
- CVE-2024-38095 - .NET and Visual Studio Denial of Service Vulnerability
- CVE-2024-6409 - A signal handler race condition vulnerability was found in OpenSSH's server (sshd), where a client does not authenticate within LoginGraceTime seconds (120 by default, 600 in old OpenSSH versions).
- CVE-2024-24974 - The interactive service in OpenVPN 2.6.9 and earlier allows the OpenVPN service pipe to be accessed remotely, which allows a remote attacker to interact with the privileged OpenVPN interactive service.
- CVE-2024-38372 - Undici is an HTTP/1.1 client, written from scratch for Node.js. Depending on network and process conditions of a `fetch()` request, `response.arrayBuffer()` might include portion of memory from the Node.js process. This has been patched in v6.19.2.
- CVE-2024-27459 - The interactive service in OpenVPN 2.6.9 and earlier allows an attacker to send data causing a stack overflow which can be used to execute arbitrary code with more privileges.
- CVE-2024-27903 - OpenVPN plug-ins on Windows with OpenVPN 2.6.9 and earlier could be loaded from any directory, which allows an attacker to load an arbitrary plug-in which can be used to interact with the privileged OpenVPN interactive service.
- CVE-2024-39695 - Exiv2 is a command-line utility and C++ library for reading, writing, deleting, and modifying the metadata of image files. An out-of-bounds read was found in Exiv2 version v0.28.2. The vulnerability is in the parser for the ASF video format, which was a new feature in v0.28.0.