14 DAY TRIAL // A team of researchers from Germany's Ruhr University of Bochum revealed some interesting findings on cloud security after discovering vulnerabilities in Amazon's Web Services and other cloud platforms.
According to H Security, the weakness which was recently patched allowed for unauthorized users to perform administrative tasks.
Some of the theories were tested in EC2, Amazon's web service that provides resizable compute capacity in the cloud, and as it turned out they were able to perform operations such as starting and stopping virtual machines and creating new images and gateways.
In their paper called "All Your Clouds are Belong to us," the researchers led by professor Jörg Schwenk, showed that an XML signature attack can be used to manipulate SOAP messages so that EC2 will look at them as being authentic.
Eucalyptus, the open source cloud platform, and Amazon's SOAP were susceptible to a signature wrapping attack in which cybercriminals could have used in their advantage the fact that signed partial XML documents are seen as correctly signed even though they were altered.
The signed partial tree can inject specially designed elements in the original location if an app's signature verification and XML interpretation are handled separately. If the specially crafted code is executed immediately after the verification, the attack can be successful.
They also discovered some XSS vulnerabilities in Amazon's store cloud which allowed for a hacker to take over a session by injecting it with a few JavaScript codes.
“Cloud Computing resources are handled through control interfaces. It is through these interfaces that the new machine images can be added, existing ones can be modied, and instances can be started or ceased.
“Effectively, a successful attack on a Cloud control interface grants the attacker a complete power over the victim’s account, with all the stored data included,” reveals the paper.
Even though the presented issues were fixed, the problem remains that the complexity of cloud systems creates the possibility of finding many weaknesses that could be exploited.
“Undoubtedly, the most important lesson learned from our analysis is that managing and maintaining the security of a cloud control system and interface is one of the most critical challenges for cloud system providers worldwide,” the researchers conclude.