Cybersecurity firm Tenable disclosed a critical vulnerability within AWS, named FlowFixation, enabling potential complete control over user accounts on the Managed Workflows Apache Airflow (MWAA) service. Despite AWS patching the vulnerability months prior, Tenable’s research exposes a broader security issue in cloud services, emphasizing the need for proactive measures like updating the Public Suffix List to prevent exploitation. This flaw, attributed to session fixation and domain misconfiguration, underscores the risks inherent in shared-parent domains across cloud platforms like AWS, Azure, and Google Cloud.
The FlowFixation vulnerability specifically targeted the MWAA web management panel, leveraging session manipulation to gain unauthorized access. Exploitation could lead to dire consequences, including remote code execution on underlying instances or lateral movement to other services. Tenable’s investigation highlighted the interconnected nature of cloud services, where misconfigurations in shared-parent domains pose significant threats such as session fixation abuse and CSRF protection bypass.
While AWS and Microsoft responded promptly to mitigate the risk, Google opted against implementing a fix, deeming the severity insufficient for tracking as a security issue. AWS deployed a fix in September 2023, urging affected customers to update their environments promptly to safeguard against potential attacks. Tenable underscores the importance of incorporating problematic domains into the Public Suffix List to prevent not only FlowFixation but also other vulnerabilities across cloud services, emphasizing the ongoing necessity for robust cloud security measures.
