Read our latest security bulletins here.
  1. Issue With IAM Supporting Multiple MFA Devices

    Initial Publication Date: 04/25/2023 10:00AM EST

    A security researcher recently reported an issue with AWS’s recently-released (November 16th, 2022) support for multiple multi-factor authentication (MFA) devices for IAM user principals. The reported issue could have potentially arisen only when the following three conditions were met: (1) An IAM user had possession of long-term access key (AK)/secret key (SK) credentials, (2) that IAM user had the privilege to add an MFA to their own identity without using an MFA, and (3) that IAM user’s overall access privileges beyond console sign-in had been configured by an administrator to be greater after adding the MFA. Under those narrow conditions, possession of AK/SK alone was equivalent to possession of AK/SK and a previously configured MFA.

    While IAM users with the ability to add or delete an MFA device associated with their own identity have always been able to do so solely with AK/SK credentials, an issue arose when the new feature was combined with the self-management by IAM users of their own MFA devices, with restricted access prior to an MFA being added by the user. This self-management pattern was documented here, and that page included a sample IAM policy for implementing the pattern. The combination of the new multi-MFA feature created an inconsistency with that approach. Given the new feature, a user with only AK/SK credentials could add an additional MFA without using a previously-configured MFA, thus allowing possession of AK/SK alone without a previously configured MFA to potentially gain broader access than expected by customers using the sample policy.

    This issue did not affect AWS Management Console-based access, since an existing MFA is always required at sign-in. Nor did it affect federated principals, who manage MFA through their identity provider.

    As of April 21, 2023, the identified issue has been remediated by requiring that IAM users who already have one or more MFAs and who use AK/SK credentials to manage their own MFA devices to first use sts:GetSessionToken and an existing MFA to obtain MFA-enabled temporary credentials to sign their CLI commands or API requests prior to enabling or disabling MFA devices for themselves. We have directly notified a very small number of customers via their Personal Health Dashboard who had previously associated an additional MFA device using a mechanism other than the AWS Management Console. We recommended that those notified customers confirm the correctness of their MFA configurations. No further customer action is required.

    We would like to thank researchers at MWR Cybersec for identifying and responsibly disclosing this issue to AWS. Security-related questions or concerns can be brought to our attention via aws-security@amazon.com.

  2. Reported TorchServe Issue (CVE-2023-43654)

    Publication Date: 2023/10/02 02:00 PM EDT

    AWS is aware of CVE-2023-43654 and CVE-2022-1471 in PyTorch TorchServe versions 0.3.0 to 0.8.1, which use a version of the SnakeYAML v1.31 open source library. TorchServe version 0.8.2 resolves these issues. AWS recommends customers using PyTorch inference Deep Learning Containers (DLC) 1.13.1, 2.0.0, or 2.0.1 in EC2, EKS, or ECS released prior to September 11, 2023, update to TorchServe version 0.8.2.

    Customers using PyTorch inference Deep Learning Containers (DLC) through Amazon SageMaker are not affected.

    Customers can use the following new image tags to pull DLCs that ship with patched TorchServe version 0.8.2:

    The full DLC image URI details can be found at: https://github.com/aws/deep-learning-containers/blob/master/available_images.md#available-deep-learning-containers-images.

    We would like to thank Oligo Security for responsibly disclosing this issue and working with the PyTorch maintainers on its resolution.

    If you have any questions or comments about this advisory, we ask that you contact AWS/Amazon Security via our vulnerability reporting page or directly via email to aws-security@amazon.com. Please do not create a public GitHub issue.

  3. CVE-2023-20569 - RAS Poisoning - Inception

    Publication Date: 2023/08/08 11:30AM PDT

    AWS is aware of CVE-2023-20569, also known as “RAS Poisoning” or “Inception”. AWS customers’ data and instances are not affected by this issue, and no customer action is required. AWS has designed and implemented its infrastructure with protections against this class of issues. Amazon EC2 instances, including Lambda, Fargate, and other AWS-managed compute and container services, protect customer data against Inception through microcode and software-based mitigations.

    Security-related questions or concerns can be brought to our attention via aws-security@amazon.com.

  4. Recent Software-based Power Side-Channel Security Research

    Publication Date: 2023/08/01 10:00AM PDT

    AWS is aware of recently-published security research describing software-based power side-channel concerns, otherwise known as ”Collide+Power“. AWS customers’ data and instances are not impacted by this issue, and no customer action is required. AWS has designed and implemented its infrastructure with protections against these types of concerns. Amazon EC2 instances, including Lambda, Fargate, and other AWS-managed compute and container services, do not expose power measurement mechanisms, such as Running Average Power Limit (RAPL) or similar interfaces, within the virtualized environment.

    We would like to thank the Graz University of Technology and CISPA Helmholtz Center for Information Security for responsibly disclosing this issue and working with us on its resolution.

    Security-related questions or concerns can be brought to our attention via aws-security@amazon.com.

  5. Kubernetes Security Issues (CVE-2023-3676, CVE-2023-3893, CVE-2023-3955)

    Publication Date: 2023/08/23 10:00 AM PDT

    AWS is aware of three security issues (CVE-2023-3676, CVE-2023-3893, CVE-2023-3955) in Kubernetes that affect Amazon EKS customers with Windows EC2 nodes in their clusters. These issues do not affect any Kubernetes control plane or the service itself, nor do these issues permit cross-customer impact. Updated Amazon EKS Windows AMIs are now available for Kubernetes versions 1.23 through 1.27 that include patched builds of kubelet and csi-proxy. We recommend that EKS customers update their configurations to launch new worker nodes from the latest AMI version.

    Customers using Managed node groups can refer to the EKS Documentation for instructions on upgrading their node groups. Customers self-managing worker nodes should replace existing instances with the new AMI version by referring to the EKS documentation.

    If you have questions or concerns about these updates, please reach out to AWS Support. Security-related questions or concerns can be brought to our attention via aws-security@amazon.com.