HackedBreakingFormation: AWS CloudFormation Vulnerability

BreakingFormation: AWS CloudFormation Vulnerability


- Advertisment -

Orca Security’s vulnerability researcher, Tzah Pahima, discovered a vulnerability in AWS allowing file and credential disclosure of an AWS internal service. This zero-day, which AWS completely mitigated within 6 days of our submission, was an XXE (XML External Entity) vulnerability found in the CloudFormation service. This could have been used to leak sensitive files found on the vulnerable service machine and make server-side requests (SSRF) susceptible to the unauthorized disclosure of credentials of internal AWS infrastructure services.

At Orca Security, our customers are our priority in everything we do, including vulnerability research. Our primary goal is always to protect you and your cloud estate. Prior to this post, and before announcing the CloudFormation vulnerability publicly, our researchers worked with AWS to ensure that the issue was fixed to avoid putting our customers — and AWS’ customers — at risk.

What was the Zero-Day AWS BreakingFormation Vulnerability?

If you use AWS, then you might be familiar with CloudFormation, the service that enables you to easily provision AWS resources (such as EC2 instances and S3 buckets) using templates. CloudFormation also allows you to use API calls to dynamically create and configure resources. The Orca Security Research Team discovered a zero-day vulnerability that allowed us to compromise a server within CloudFormation, which in turn, led to us running as an AWS infrastructure service.

Leveraging an anomaly in the way that CloudFormation renders templates allowed us to trigger an XXE vulnerability, which we used to read files and perform HTTP requests on behalf of the server. The server contained multiple service binaries containing AWS server-side logic, as well as configuration files for connecting to internal AWS endpoints and services.

Our research team believes, given the data found on the host (including credentials and data involving internal endpoints), that an attacker could abuse this vulnerability to bypass tenant boundaries, giving them privileged access to any resource in AWS.

- Advertisement -

This is what a file disclosure looks like (AWS employees’ information on the right side of the screen was redacted):

We didn’t want to interfere with the service’s operation. To ensure to whom these credentials belonged, but in a non-invasive way, we used the leaked credentials to presign an S3 URL and then used the SSRF to try and access our own S3 bucket to see which identity was involved. The resulting logs tell us who these credentials belong to. The result was an Access Denied CloudTrail log entry, with the identity shown below:

- Advertisement -

Note: The “userIdentity” field shows that an AWS service, not CloudFormation’s public principal but rather an internal service used by AWS, tried to access our storage bucket.

Reforming the Ranks

We immediately reported the issue to AWS, who acted quickly to fix it. The AWS security team coded a fix in less than 25 hours, and it reached all AWS regions within 6 days.

Orca Security researchers helped test the fix to ensure that this vulnerability was correctly resolved, and we were able to verify that it could no longer be exploited.


  • 09/09/2021 – Vulnerability reported to the AWS security team.
  • 09/10/2021 – AWS sent us a message, saying they had made a code change and had started deploying it.
  • 09/15/2021 – The code change reached every AWS region.

The Orca Security Research Team is dedicated to ethically advancing cloud security in close partnership with the cloud service platforms that we help protect. 

If you’d like to learn more about Orca Security I invite you to experience our tech and talent first-hand with a no-obligation, free cloud risk assessment. You’ll get complete visibility into your public cloud, a detailed risk report with an executive summary, and time with our cloud security experts.

Tzah Pahima is a Cloud Security Researcher at Orca Security. Follow him on Twitter @tzahpahima

NOW WITH OVER +8500 USERS. people can Join Knowasiak for free. Sign up on Knowasiak.com
Read More

- Advertisement -

1 Comment

  1. > Our research team believes, given the data found on the host (including credentials and data involving internal endpoints), that an attacker could abuse this vulnerability to bypass tenant boundaries, giving them privileged access to any resource in AWS.

    This is bullshit and their own report indicates the opposite. Hugely irresponsible of Orca to include this kind of unfounded speculation in their report. But also this is what AWS gets for having a "if there's no customer impact, there's no disclosure" security policy, it leaves the door open for this kind of shit.

You might also likeRELATED
Recommended to you

Repeat HN: IR stove thermometer, firmware in Rust

Measures the temperature of pans and food on your kitchen stove Buy Stove Thermometer for $100 When "medium heat" isn't precise enough Cook more consistently Follow recipes more closely Prevent pan warping when rinsing Know when your pan is preheated Keep oil at a safe temperature Prevent pans from overheating Uses Find the perfect time…

Tech CEO pleads to wire fraud in IP address scheme

The CEO of a South Carolina technology firm has pleaded guilty to 20 counts of wire fraud in connection...

OneSignal (YC S11) is hiring engineers to work on messaging: Push, SMS, & Email

Ready to board the OneSignal rocket ship? 10 Billion+Daily messages sent At OneSignal, Senior Engineers have the option of working remotely or in an office. In the United States, we currently support remote work in CA, NY and TX and we have offices in New York City and San Mateo. In collaboration with our partner…

Code Review as a Service

Supporting all languages and frameworksEmpower your development team with the help of world-class engineers. Ship high quality code faster.PullRequest provides on-demand code review by world-class engineers, built for teams of any size. We review within your tools to catch security threats, stop crashes, and fix performance issues before they reach production.Move fast and reduce cycle…
- Advertisement -

Must read

Show HN: Scoot – efficiently move your mouse cursor using keyboard shortcuts

Meet Scoot, your friendly cursor teleportation and actuation tool. Scoot is a tiny utility app that provides fast, keyboard-driven control over the mouse pointer. Scoot lets you move your mouse—and click and drag, too—all from the comfort of your keyboard! Scoot supports two navigation modes: element-based, and grid-based. Element-based navigation: MacOS accessibility APIs are used…

What a revolutionary utopia does to exterior dining

In San Francisco and elsewhere in California, the red tape that prevented dining alfresco before the pandemic is starting to grow back.Scott Strazzante / The San Francisco Chronicle / GettyDecember 12, 2021, 6:30 AM ETAbout the author: Conor Friedersdorf is a California-based staff writer at The Atlantic, where he focuses on politics and national affairs,…
- Advertisement -