As many as 15,000 apps that use AWS’s Application Load Balancer (ALB) for authentication could be vulnerable to attacks, according to application security company Miggo.
These attacks, dubbed ALBeast by Miggo, are possible due to what the company has described as a critical configuration issue, rather than an actual vulnerability in the AWS ALB solution.
AWS ALB is a load balancer that routes traffic to EC2 instances, containers, IP addresses, and Lambda functions based on the content of the request.
AWS was informed about the potential risks in April and it has since updated its documentation and added new code to help customers prevent ALBeast attacks, Miggo said.
A Censys search reveals over 370,000 internet-exposed instances of AWS ALB. Miggo has determined that over 15,000 of them may be vulnerable due to a configuration issue. However, the company noted that even apps that are not exposed to the internet may be targeted by attackers who have network access.
“First, the attacker creates their own ALB instance with authentication configured in their account. The attacker then uses this ALB to sign a token they fully control. Next, the attacker alters the ALB configuration and sets the issuer field to the victim’s expected issuer,” Miggo explained.
“AWS subsequently signs the attacker’s forged token with the victim’s issuer. Finally, the attacker uses this minted token against the victim’s application, bypassing both authentication and authorization,” it added.
According to Miggo, an ALBeast attack can enable threat actors to gain unauthorized access to business resources and exfiltrate data.
Advertisement. Scroll to continue reading.
Users can prevent attacks by ensuring that apps using ALB authentication check the token signer, and by ensuring that only traffic from their ALB is accepted.
Responding to a SecurityWeek inquiry, an AWS spokesperson stated, “It is incorrect to call this an authentication and authorization bypass of AWS Application Load Balancer (ALB) or any other AWS service because the technique relies on a bad actor already having direct connectivity to a misconfigured customer application that does not authenticate requests. We recommend customers configure their applications to only accept requests from their ALB by using security groups and by following the ALB security best practices.”
Regarding the number of potentially impacted applications, the AWS representative noted, “A small fraction of a percent of AWS customers have applications potentially misconfigured in this way, significantly fewer than the researchers’ estimate. We have contacted each one of these customers directly to share best practices for configuring applications which use ALB.”
*updated with statement from AWS