Getty Images/iStockphoto

AWS fixes 'FlowFixation' vulnerability for account hijacking

A Tenable researcher discovered a session fixation flaw in AWS Managed Workflows for Apache Airflow that, combined with a misconfiguration, could enable account hijacking.

A new AWS vulnerability discovered by Tenable could have let threat actors access user accounts of orchestration app Amazon Managed Workflows Apache Airflow.

The flaw, dubbed "FlowFixation," was disclosed in a Tenable blog post published Thursday. The flaw, now resolved, affected AWS workflow orchestration tool Amazon Managed Workflows Apache Airflow (MWAA). Tenable senior security researcher and blog post author Liv Matan wrote that if exploited, FlowFixation could have allowed threat actors to hijack a victim's session in MWAA "and that could have resulted in remote code execution (RCE) on the underlying instance, and in lateral movement to other services."

AWS patched the FlowFixation vulnerability, which was not assigned a CVE because it is a cloud vulnerability and does not require any user actions.

Matan said the attack originates from session fixation in the web management panel of MWAA combined with an AWS domain misconfiguration that created potential cross-site scripting threats.

"By abusing the vulnerability, an attacker could have forced victims to use and authenticate the attacker's known session," he wrote in the blog post. "This manipulation could have enabled the attacker to later use the same, now-authenticated session to take over the victim's web management panel."

This misconfiguration can result in same-site attacks such as cookie tossing, in which an attacker exploits the path or naming conventions of a cookie to create malicious cookies to be sent alongside legitimate ones. A fix for this, Matan argued, would have been to list misconfigured domains to the community-powered Public Suffix List (PSL).

"Since neither domain is listed in the PSL, the attacker can carry out cookie tossing by simply setting the attacker's known session cookie for the victim's MWAA web management panel (a subdomain of amazonaws.com) to all shared parent domain subdomains in the victim's browser," Matan wrote. "This action causes the sharing of the set session cookie with the victim's MWAA web management panel."

Matan argued that due to the PSL's ability to eliminate elements of similar cookie-tossing attacks for cloud service providers (CSPs), the lack of relevant public suffixes on the PSL was considered a misconfiguration. As a result, he contacted multiple CSPs. AWS, he said, was highly responsive, and he commended the cloud giant for its efforts in addressing FlowFixation.

AWS spokesperson Patrick Neighorn provided the following statement to TechTarget Editorial:

AWS deployed a fix for these findings in September 2023, so customers running the current version of Amazon Managed Workflows for Apache Airflow (MWAA) are not impacted. We informed affected customers last year and encouraged them to update their environments through the AWS Console, API, or the AWS Command Line Interface. Before we resolved the matter, taking advantage of the findings was a complex process that would have required social engineering.

Microsoft's Azure was similarly amenable and "decided to input to the PSL all the missing domains we had reported to them," Matan wrote.

However, in the case of Google Cloud Platform (GCP), Matan wrote that when he contacted Google and reported that shared parent service domains were at risk given "googleusercontent.com" -- the default parent domain of websites hosted on the Google Compute Engine -- was not on the PSL, "GCP opted not to fix the issue, saying in a message that it doesn't consider the issue 'severe enough' to track it as a security bug."

Matan described PSL as a "a neglected guardrail" for cloud environments and recommended that CSPs with shared parent service domains use it to prevent same-site attacks. Some companies have already done so. In March 2022, Akamai Technologies announced it would submit several shared domains to the private section of the PSL to address potential security and privacy issues.

TechTarget Editorial contacted Google and Tenable for additional comment, but they hadn't responded at press time.

Alexander Culafi is a senior information security news writer and podcast host for TechTarget Editorial.

Next Steps

Researchers unveil AWS vulnerabilities, 'shadow resource' vector

Dig Deeper on Cloud security