As many as 15,000 applications using Amazon Web Services' (AWS) Application Load Balancer (ALB) for authentication could be vulnerable to a configuration-based issue, potentially allowing attackers to bypass access controls and compromise the security of these applications.
This issue has been identified by Israeli cybersecurity firm Miggo, which named the vulnerability "ALBeast."
"This vulnerability allows attackers to directly access affected applications, particularly if they are exposed to the internet," said security researcher Liad Eliyahu.
ALB is a service from Amazon designed to direct HTTP and HTTPS traffic to target applications based on request types. It also provides a feature to "offload the authentication functionality" from applications into the ALB.
According to Amazon's website, "Application Load Balancer will securely authenticate users as they access cloud applications."
"Application Load Balancer is seamlessly integrated with Amazon Cognito, which allows end users to authenticate through social identity providers such as Google, Facebook, and Amazon, and through enterprise identity providers such as Microsoft Active Directory via SAML or any OpenID Connect-compliant identity provider (IdP)."
The core of the attack involves a threat actor setting up their own ALB instance with authentication configured in their AWS account. Then, this ALB is used to sign a token under their control. The attacker forges an authentic ALB-signed token using the victim’s identity to modify the ALB configuration, thereby accessing the target application and bypassing both authentication and authorization mechanisms.
Essentially, this approach tricks AWS into signing a token as if it originated from the victim's system, allowing the attacker to access the application, provided it is either publicly accessible or the attacker already has some level of access.
After responsible disclosure in April 2024, Amazon revised its authentication feature documentation and introduced a new code to verify the signer's authenticity.
Amazon's documentation now clearly states, "To ensure security, you must verify the signature before doing any authorization based on the claims and validate that the signer field in the JWT header contains the expected Application Load Balancer ARN."
"Also, as a security best practice, we recommend you restrict your targets to only receive traffic from your Application Load Balancer. You can achieve this by configuring your targets' security group to reference the load balancer's security group ID."
This disclosure follows Acronis's revelation of a Microsoft Exchange misconfiguration that could enable email spoofing attacks. Such vulnerabilities would allow attackers to bypass DKIM, DMARC, and SPF protections, sending malicious emails that appear to originate from trusted sources.
"If you didn't lock down your Exchange Online organization to accept mail only from your third-party service, or if you didn't enable enhanced filtering for connectors, anyone could send an email to you through ourcompany.protection.outlook.com or ourcompany.mail.protection.outlook.com, and DMARC (SPF and DKIM) verification will be skipped," the company warned.
Reference: www.thehackernews.com
© 2016 - 2025 Red Secure Tech Ltd. Registered in England and Wales under Company Number: 15581067