AWS’s Swift Response: Fixing the ‘FlowFixation’ Bug in Airflow Service.

Cybersecurity researchers have discovered a security vulnerability in AWS Managed Workflows for Apache Airflow (MWAA) that could potentially allow malicious actors to hijack victims’ sessions and achieve remote code execution on underlying instances. The vulnerability, codenamed FlowFixation, has been addressed by AWS.

The root cause of the vulnerability lies in a combination of session fixation on the web management panel of AWS MWAA and an AWS domain misconfiguration that results in a cross-site scripting (XSS) attack. Session fixation occurs when a user is authenticated to a service without invalidating any existing session identifiers, allowing the adversary to force a known session identifier on a user. By exploiting this flaw, a threat actor could have taken over victims’ web management panels and triggered actions that could lead to remote code execution.

Interestingly, this issue is not limited to AWS alone. It also impacts Microsoft Azure and Google Cloud due to similar misconfigurations. Tenable, the cybersecurity firm that discovered the vulnerability, highlighted the broader issue with cloud providers’ domain architecture and management, emphasizing the risk of same-site attacks, cross-origin issues, and cookie tossing.

FlowFixation – Security Vulnerability Exposed

Researchers identified a security flaw in Amazon Web Services (AWS) Managed Workflows for Apache Airflow (MWAA) known as “FlowFixation.” This vulnerability could allow attackers to hijack user sessions and potentially execute malicious code on the underlying systems.

“FlowFixation highlights a broader issue with the current state of cloud providers’ domain architecture and management as it relates to the Public Suffix List (PSL) and shared-parent domains: same-site attacks,” Matan said, adding the misconfiguration also impacts Microsoft Azure and Google Cloud.

Session Fixation Explained

Session fixation is a web attack technique that exploits how a service manages user sessions. When a user logs in, the service generates a unique identifier (session ID) to track the user’s activity. In session fixation, an attacker steals a legitimate session ID and forces the victim’s browser to use it. When the victim subsequently logs in, the attacker gains access to the compromised session.

MWA Vulnerability and Potential Impact

The FlowFixation bug in MWAA was related to how it handled session IDs. An attacker could have potentially leveraged this flaw to steal a legitimate session ID and force the victim to use it. This could have granted the attacker access to the victim’s MWAA web management console and potentially allowed them to execute malicious code on the underlying systems.

Patch Available

Fortunately, AWS has addressed this vulnerability and released a patch. Users of MWAA are highly recommended to update their environments to the latest version to mitigate the risk of session hijacking and potential remote code execution.

You think you have a story worth everyone’s time? SUBMIT A STORY and we will publish it.