August 22, 2024Ravie LakshmananCloud Security / Application Security

As many as 15,000 applications that use Amazon Web Services (AWS) Application Load Balancer (ALB) for authentication are potentially vulnerable to a configuration issue that could allow them to bypass access controls and compromise applications.

This is evident from findings by the Israeli cybersecurity company Miggo, which described the problem as ALBeest.

“This vulnerability could allow attackers to gain direct access to affected applications, especially if they are exposed to the Internet,” said security researcher Liad Eliyahu.

ALB is an Amazon service designed to route HTTP and HTTPS traffic to target applications based on the nature of the requests. It also allows users to offload their apps’ authentication functionality to the ALB.

“Application Load Balancer provides secure authentication for users when they access cloud applications,” Amazon said on its website.

“Application Load Balancer is seamlessly integrated with Amazon Cognito, enabling end users to authenticate through social identity providers such as Google, Facebook, and Amazon, and through corporate identity providers such as Microsoft Active Directory via SAML or an OpenID Connect-compliant identity provider (IdP).”

The core of the attack consists of a malicious actor creating their own ALB instance and configuring authentication on their account.

In the next step, the ALB is used to sign a token under their control and modify the ALB configuration by forging an authentic ALB-signed token with a victim’s identity. Ultimately, this token is used to gain access to the target application, bypassing both authentication and authorization.

In other words, the idea is that AWS signs the token as if it actually came from the victim’s system and uses the token to access the application, assuming it is publicly accessible or the attacker already has access to it.

Following the Responsible Disclosure process in April 2024, Amazon updated the documentation on the authentication feature and added a new code to validate the signer.

“To ensure security, you must verify the signature before performing authorization against the claims and validate that the signer field in the JWT header contains the expected Application Load Balancer ARN,” Amazon now explicitly states in its documentation.

“As a security best practice, we also recommend that you restrict your targets to only receive traffic from your Application Load Balancer. You can achieve this by configuring the security group of your targets to point to the security group ID of the load balancer.”

The revelation follows Acronis’s disclosure of how Microsoft Exchange misconfiguration could open the door to email spoofing attacks, allowing attackers to bypass DKIM, DMARC, and SPF protections and send malicious emails impersonating trusted entities.

“If you haven’t locked down your Exchange Online organization to only accept email from your external service, or if you haven’t enabled enhanced filtering for connectors, anyone can send you email from ourcompany.protection.outlook.com or ourcompany.mail.protection.outlook.com, and DMARC (SPF and DKIM) verification will be skipped,” the company said.