A critical configuration bug was observed that affects applications using the AWS Application Load Balancer (ALB) for authentication, a flaw dubbed "ALBeast" that could lead to unauthorized access to business resources, data breaches, and data exfiltration.
A critical configuration bug has been discovered in the AWS Application Load Balancer (ALB) that could lead to unauthorized access to business resources, data breaches, and data exfiltration.
The flaw, dubbed "ALBeast," was identified by Miggo Research and affects applications using the ALB for authentication. According to the research team, over 15,000 potentially vulnerable apps have been found using the AWS ALB authentication feature.
The AWS load balancer distributes incoming application traffic across multiple targets, such as AWS EC2 web services instances. The ALBeast flaw can cause authentication and authorization bypass in applications exposed to the internet that rely on ALB authentication.
"AWS ALB has an authentication feature that was released in 2018 and includes a few features and documentation for customers on how to implement it securely," explained Liad Eliyahu, research lead at Miggo. "However, we discovered that the documentation is missing two crucial parts, causing applications to be vulnerable."
According to Eliyahu, the first missing element is a validation of which ALB actually signed the token. The Miggo team scanned numerous implementations of open-source projects as well as ALB authentication guides written by the community, and only one out of dozens mentioned this validation. “The team then assumed that almost all programmers did not include this validation in their code.”
Secondly, Miggo found a misconfiguration in the security groups that AWS claims to identify and notify customers about. According to Eliyahu, numerous sources indicate that this is one of the most common AWS misconfigurations.
"We suggested that AWS perform a change in the ALB implementation that can mitigate most of the ALBeast issues on their side," said Eliyahu. "They chose not to change their implementation, but to reach out to customers and inform them about these two actions they should take.”
A blog post by AWS released six days ago includes these security best practices:
"The configuration issue with AWS ALB arises not from a flaw in the ALB itself but from how it’s configured by users," added Jason Soroko, senior vice president of product at Sectigo. According to Soroko, the issue involves improper authentication setups, where apps fail to validate the token signer or mistakenly accept traffic from sources other than their ALB, thus allowing unauthorized access to resources and data exfiltration.
“Security teams should ensure that their apps properly verify tokens and restrict traffic to only trusted sources, particularly their ALB," said Soroko. "AWS continuously improves documentation on this to help people responsible for configuration to understand the risks, but it would be prudent to also look at diagnostic tools available from Amazon AWS as well as third party tools to help catch these kinds of configuration mistakes."
The above is the detailed content of ALBeast Bug Affects 15,000 Apps Using AWS ALB Authentication Feature. For more information, please follow other related articles on the PHP Chinese website!
![[Web front-end] Node.js quick start](https://img.php.cn/upload/course/000/000/067/662b5d34ba7c0227.png)
