Cybersecurity researchers recently disclosed a critical security vulnerability known as FlowFixation in Amazon Web Services (AWS) Managed Workflows for Apache Airflow (MWAA), which allowed unauthorized access leading to session hijacking and potential remote code execution. The vulnerability, codenamed FlowFixation by Tenable, could have enabled attackers to compromise victims’ accounts, perform malicious tasks including reading connection strings, adding configurations, and executing directed acyclic graphs (DAGS). Under certain conditions, these actions might have resulted in Remote Code Execution (RCE) on the underlying MWAA instance and lateral movement to other services. The root cause of this vulnerability was a combination of session fixation on the AWS MWAA web management panel and an AWS domain misconfiguration resulting in a cross-site scripting (XSS) attack.
Session fixation, facilitated by the misconfiguration, allows threat actors to take over a victim’s web management panel by forcing authenticated sessions. This cybersecurity concern raised broader issues in cloud providers’ domain management impacting the Public Suffix List (PSL), shared-parent domains, and same-site attacks. AWS and Azure have addressed the misconfiguration by adding the affected domains to PSL to prevent similar incidents, while Google Cloud has deemed the issue less critical. The vulnerability posed risks of unauthorized access, data leaks, and code execution, emphasizing the importance of robust domain architecture and management in cloud environments to mitigate such threats effectively.
