AWS Patches Glue Bug That Put Customer Data at Risk
Researchers have discovered a critical vulnerability in the AWS Glue service, which could allow remote attackers to access sensitive data owned by large numbers of customers.
Dubbed “Superglue” by the Orca Security Research Team, the bug was made possible by an internal misconfiguration within the service.
AWS Glue is a serverless data integration service that allows customers to discover and combine data for machine learning, analytics and app development. Given that it can access large volumes of potentially sensitive data, it could be an attractive target for hackers.
“During our research, we were able to identify a feature in AWS Glue that could be exploited to obtain credentials to a role within the AWS service’s own account, which provided us full access to the internal service API,” Orca Security explained.
“In combination with an internal misconfiguration in the Glue internal service API, we were able to further escalate privileges within the account to the point where we had unrestricted access to all resources for the service in the region, including full administrative privileges.”
The vendor claimed to have been able to assume roles in AWS customer accounts that are trusted by Glue and