AWS has patched a security vulnerability in AppSync, a service that provides APIs to query, update or publish data to multiple databases or microservices from a single endpoint.
The bug was discovered by Datadog Security Labs, which explained it here.
Datadog termed the vulnerability a “confused deputy” issue: “where a less-privileged entity (the attacker) convinces a more-privileged entity or service (AppSync) to perform some action on its behalf.”
AWS summed up the vulnerability here, as “a case-sensitivity parsing issue within AWS AppSync, which could potentially be used to bypass the service’s cross-account role usage validations and take action as the service across customer accounts.”
AWS said the fix does not require any action on the part of users, and its analysis of logs showed that only Datadog’s researchers noticed the vulnerability.
What Datadog found was that “the API would accept JSON payloads with properties that used mixed case. For example, the API expected httpConfig but would not throw an error if hTtPcOnFiG was provided.”
“This finding revealed that a serviceRoleArn provided with a different casing would bypass the validation, allowing us to provide an ARN (Amazon Resource Name) of a role in a different AWS account,” the researchers said.
“By bypassing the ARN validation, we were able to create AppSync data sources tied to roles in other AWS accounts.
“This would allow an attacker to interact with any resource associated with a role which trusts the AWS AppSync service in any account.”
Datadog discovered the vulnerability on September 1, and AWS pushed a fix on September 6.