update
A critical configuration bug has been discovered affecting applications that use the AWS Application Load Balancer (ALB) for authentication, dubbed “ALBeast,” which could lead to unauthorized access to business resources, data breaches, and data exfiltration.
Miggo Research said in an Aug. 20 blog post that since discovering ALBeast this spring, the research team has identified more than 15,000 potentially vulnerable apps that use AWS ALB authentication features.
AWS load balancers distribute incoming application traffic across multiple targets, such as AWS EC2 Web Service instances. A flaw in ALBeast may allow authentication and authorization bypass for internet-facing applications that rely on ALB authentication.
Liad Eliyahu, research lead at Miggo, explained that AWS ALB had an authentication feature released in 2018 that included several features and documentation for customers that explained how to implement it securely. But Eliyahu said the team found two key pieces of the documentation missing, leaving applications vulnerable.
First, it lacked validation of which ALB actually signed the token. Eliyahu said the Miggo team scanned numerous implementations from open source projects and community-written ALB authentication guides, but only one in dozens mentioned this validation. “The team assumed that nearly all programmers hadn't included this validation in their code,” Eliyahu said.
Second, Miggo found a security group misconfiguration that AWS claims to identify and notify customers about, and Eliyahu said that according to multiple sources, this is one of the most common AWS misconfigurations.
“We proposed changes to AWS' ALB implementation that would allow AWS to mitigate most of the ALBeast issues,” Eliyahu says. “AWS decided not to change the implementation and instead contacted customers to inform them of two actions they could take.”
A blog post published by AWS six days ago included security best practices such as:
- Restrict ALB targets to only receive traffic from trusted sources: Configure the targets' security group to only accept traffic from the ALB. Teams can achieve this by referencing the ALB's security group when setting up the target security group's inbound rules. This effectively restricts access to the targets, ensuring that only the ALB can initiate connections to them. Deploy ALB targets in private subnets with no public or Elastic IP addresses. This prevents direct access to the targets from the public internet.
- Implement signature verification of JSON Web Token (JWT) provided in the request from ALB.
signer
The fields in the JWT header match the Amazon Resource Name (ARN) of the ALB.
An AWS spokesperson also denied the Miggo researchers' claims that the issue was an authentication and authorization bypass.
“It is incorrect to call this an authentication and authorization bypass of ALB or any other AWS service because this technique relies on a malicious actor already connecting directly to a misconfigured customer application that does not authenticate requests. We encourage customers to configure their applications to only accept requests from ALB using security groups and following ALB security best practices. As few as 1% of AWS customers may have applications misconfigured in this way, significantly less than the researchers estimated. We are reaching out to each of these customers directly to share best practices for configuring applications that use ALB.”
Due to a user misconfiguration
Jason Soroko, senior vice president of products at Sectigo, added that the AWS ALB configuration issues stemmed not from flaws in the ALB itself, but from how users configured it. Soroko said the issues were related to improper authentication configuration, which allowed apps to fail to validate token signers or incorrectly accept traffic from sources other than the ALB, allowing unauthorized access to resources and data exfiltration.
“Security teams need to ensure that apps are properly validating tokens and restricting traffic to trusted sources only, especially the ALB,” Soroko said. “AWS is continually improving its documentation on this to help configurators understand the risks, but it's also wise to look at the diagnostic tools available from Amazon AWS, as well as third-party tools that can help spot misconfigurations like this.”
Editor's note: This story was updated at 10 a.m. ET on Aug. 23 with information from AWS.