The Orca Research Pod found the Superglue vulnerability in AWS Glue, an event-driven, serverless computing platform on Amazon Web Services. AWS Glue runs code in response to events and automatically manages the computing resources required by that code. The main purpose of Glue, as compared to AWS Lambda, is to scan other services in the same Virtual Private Cloud, particularly S3.
The Orca Research Pod identified a feature in AWS Glue that could be exploited to obtain credentials to a role within the AWS service’s own account, which provided full access to the internal service API. In combination with an internal misconfiguration in the Glue internal service API, the Orca researchers were able to further escalate privileges within the account to the point where they had unrestricted access to all resources for the service in the region, including full administrative privileges.
By carefully looking at what data could be accessible in the service account, the Orca researchers confirmed that they would be able to access data owned by other AWS Glue customers. They used accounts under their control to test and verify that this issue gave them the ability to access data from other accounts without affecting any other AWS customers’ data.
These are some of the things that the Orca Research team was able to do:
Orca worked with AWS to remediate the issue and confirm with AWS that no customer accounts were inappropriately accessed. Within hours of reporting the issue, the AWS Glue service team had reproduced and confirmed the findings. By the following morning, a partial mitigation was deployed globally, followed by a full mitigation a few days later.
The Orca Security Research Team continues to dig around different cloud products and services to find such zero-day vulnerabilities. Our goal is to discover these vulnerabilities before any malicious actors do.
Orca Security, the cloud security innovation leader, provides cloud-wide, workload-deep security and compliance for AWS, Azure, and GCP － without the gaps in coverage, alert fatigue, and operational costs of agents.