Where was this vulnerability found?

The Orca Research Pod found the Superglue vulnerability in AWS Glue, an event-driven, serverless computing platform on Amazon Web Services. AWS Glue runs code in response to events and automatically manages the computing resources required by that code. The main purpose of Glue, as compared to AWS Lambda, is to scan other services in the same Virtual Private Cloud, particularly S3.

Superglue Vulnerability

The Orca Research Pod identified a feature in AWS Glue that could be exploited to obtain credentials to a role within the AWS service’s own account, which provided full access to the internal service API. In combination with an internal misconfiguration in the Glue internal service API, the Orca researchers were able to further escalate privileges within the account to the point where they had unrestricted access to all resources for the service in the region, including full administrative privileges.

By carefully looking at what data could be accessible in the service account, the Orca researchers confirmed that they would be able to access data owned by other AWS Glue customers. They used accounts under their control to test and verify that this issue gave them the ability to access data from other accounts without affecting any other AWS customers’ data.

These are some of the things that the Orca Research team was able to do: 

• Assume roles in AWS customer accounts that are trusted by the Glue service. In every account that uses Glue, there’s at least one role of this kind.
• Query and modify AWS Glue service-related resources in a region. This includes but is not limited to metadata for: Glue jobs, dev endpoints, workflows, crawlers, and triggers.
• As mentioned above, all research related to this finding was conducted within AWS accounts owned by Orca Security. No other AWS customer accounts and no other customers’ data was accessed during our research.

How did Orca help?

Orca worked with AWS to remediate the issue and confirm with AWS that no customer accounts were inappropriately accessed. Within hours of reporting the issue, the AWS Glue service team had reproduced and confirmed the findings. By the following morning, a partial mitigation was deployed globally, followed by a full mitigation a few days later.

The Orca Security Research Team continues to dig around different cloud products and services to find such zero-day vulnerabilities. Our goal is to discover these vulnerabilities before any malicious actors do.

Useful Links

• Orca Superglue Blog https://orca.security/resources/blog/aws-glue-vulnerability/
• AWS Report of Superglue https://aws.amazon.com/security/security-bulletins/AWS-2022-002/
• Research Pod https://orca.security/about/orca-research-pod/