Ukuba sengozini ku-Amazon Web Services' (AWS) Managed Workflows ye-Apache Airflow (MWAA) bekungase kuvumele abagebengu bafinyelele izikhathi zabasebenzisi, benze ukukhipha ikhodi yesilawuli kude (RCE), bahambise eceleni ezindaweni zamafu ebhizinisi, nokunye okwengeziwe. Kepha konke lokho kumane kuwukubonakaliswa kosongo lwabacwaningi bokungalungiseki kahle okugxilile okukhonjwe kuyo yonke i-AWS, iMicrosoft Azure, neGoogle Cloud.
Inkinga ingase idalule inqwaba yamabhizinisi. I-Apache Airflow, eyasungulwa kwa-Airbnb ngo-2014, iyinkundla yokulawula ukugeleza komsebenzi yomthombo ovulekile ecishe ibe yizigidi eziyi-12 ukulanda ngenyanga ngokwezilinganiso eziningi. Ngaphezu kwesigamu sabasebenzisi be-Airflow bangonjiniyela bedatha - okunye kufaka phakathi abaklami bezakhiwo, onjiniyela, ochwepheshe be-DevOps, nonjiniyela bedatha - kanti izingxenye ezimbili kwezintathu zisebenza ezinkampanini ezinabasebenzi okungenani abangama-200.
Esitatimendeni sokufunda Okumnyama, uPatrick Neighorn, okhulumela i-AWS, ugcizelele ukuthi "i-AWS ikhiphe ukulungisa lokhu okutholwe ngoSepthemba 2023, ukuze amakhasimende asebenzisa inguqulo yamanje ye-Amazon Managed Workflows ye-Apache Airflow (MWAA) angathinteki. Sazisa amakhasimende athintekile ngonyaka odlule futhi sabakhuthaza ukuthi babuyekeze izindawo zabo nge-AWS Console, i-API, noma i-AWS Command Line Interface. Ngaphambi kokuthi sixazulule lolu daba, ukusizakala ngalokho okutholwe kwakuyinqubo eyinkimbinkimbi ebingadinga ubunjiniyela bezenhlalo.”
Ikhukhie Tossing in Cloud Services
Inkinga ku-MWAA iqale ngesici sayo sokungena ngemvume (i-SSO), esingazange siqale kabusha amakhukhi esikhathi lapho sifakazelwa ubuqiniso, okuvumela noma yimuphi umhlaseli ukuthi adlule. nqamula iseshini ngaphandle kokuqinisekisa.
Amasevisi ahlukene ahlinzekwa abahlinzeki abakhulu bamafu ngokuvamile abelane ngesizinda. Ku-AWS, isibonelo, i-Simple Storage Service (S3), i-API Gateway, nokunye kwabelana ngomzali ofanayo. Inkinga ukuthi ezinye izimpahla zivumela ukusetshenziswa kwekhodi yohlangothi lweklayenti.
“Ngokwesibonelo, isizinda somhlaseli sithi 'attacker.shared.com' futhi isisulu sithi 'victim.shared.com,'” kuchaza u-Liv Matan, umcwaningi omkhulu wezokuphepha kwa-Tenable nombhali wombiko. “Womabili amawebhusayithi asingathwe ngaphansi kwesizinda somzali esabiwe esibizwa ngokuthi 'kwabiwe'. Unalokho engqondweni, umhlaseli ngokusobala olawula iwebhusayithi yakhe angasebenzisa ikhodi ye-JavaScript futhi ayenge izisulu kuleyo webhusayithi eyingozi. Umhlukumezi uzovakashela iwebhusayithi yomhlaseli, futhi ikhodi ye-JavaScript izosetha ikhukhi elifakwe kusizinda somzali okwabelwana ngaso, 'shared.com.' Ikhukhi lizobe selitholakala kuzo zombili izizinda.”
Ukuthola ikhukhi esizindeni somzali okwabelwana ngaso kubizwa ngokuthi “i-cookie tossing.” Lapha, kwenza umhlaseli wethu ocatshangelwayo afinyelele iphaneli ye-Airflow Web yesisulu futhi, phakathi kwezinye izinto, asebenzise ikhodi esimeni esikhona. Lokhu kuphathelene ikakhulukazi, kuphawula uMatan, njengoba “i-Apache Airflow ivame ukusetshenziselwa ukuhlela amapayipi edatha acubungula idatha yenkampani ebucayi. Okufakwayo kulawa mapayipi kungase kuhlanganise ulwazi lwekhasimende, idatha yezezimali, noma idatha yebhizinisi lobunikazi. Ngokufanayo, imiphumela yamapayipi edatha ingase iqukathe idatha ecutshunguliwe ebucayi noma eyimfihlo.”
Lokhu okutholakele kwakamuva akukhona nje nge-MWAA, noma kunjalo. Umhlaseli onjalo angasebenzisa lokhu kuxhaphaza kokujikijela ikhukhi ukuze ajikelezise kumasevisi amafu afanayo endaweni yesisulu, okuholela ekuphulweni kwedatha okuqhubekayo kanye nokuhlukumeza izinsiza zebhizinisi. Ngakho-ke ezingeni elibaluleke kakhulu, lokhu kungaba yinkinga yonkana Amazon, Google, kanye nezinkundla zamafu zeMicrosoft.
I-Amazon selokhu yabhekana nokuba sengozini kwayo, futhi yona kanye neMicrosoft basebenzise ukulungiswa kwenkinga yesizinda okwabelwana ngaso. I-Google ayizange, nokho. I-Dark Reading ilindele ukuphawula okwengeziwe okuvela ethimbeni lamafu le-Google.
Ukulungiswa Kokuphonsa Ikhukhi
Idalwe i-Mozilla ekuqaleni ukuze isekele ukuphepha kanye nobumfihlo kuFirefox, Uhlu Lwezijobelelo Zomphakathi (PSL) seluthuthuke ngokushesha lwaba uhlu lwemithetho olutholakala yonke indawo, olulawulwa umphakathi lwazo zonke izijobelelo zamagama esizinda umuntu angabhalisa ngazo iwebhusayithi. Lokhu kubandakanya i-general .com, kodwa futhi .co.uk, .info, njalo njalo, kanye nezijobelelo eziyimfihlo njenge-github.io. Ikhophi yohlu ihlanganiswe kuzo zonke iziphequluli zesimanje.
Ngakho abahlinzeki besevisi yamafu bangakwazi ukuxazulula inkinga yesizinda sabo somzali ngokuhlelwa kabusha kwesizinda esithile, noma bangavele bengeze izizinda zamasevisi amafu abelana ngesayithi futhi afake amakhasimende ahlukene ku-PSL. Ngemva kwalokho, iziphequluli ziyakwazi ukuzibona njengesijobelelo esisesidlangalaleni kanye ne-akhawunti yokuphonsa ikhukhi.
I-AWS ne-Azure basanda kwenza lokho, nakuba kushiwo, i-Google Cloud ayizange. Ngokusho kukaTenable, iGoogle ithe "ayibheki le ndaba 'inzima ngokwanele' ukuyilandelela njengesiphazamisi sezokuphepha."
UMatan uyabalisa, “Amakhasimende amafu asemseni womhlinzeki wawo wamafu ukuthi athathe isinyathelo ngale ndlela yokuvimbela. Ngasikhathi sinye, amakhasimende amafu anomthwalo wemfanelo wokuvikela izinhlelo zawo zeWebhu efwini ukuze kuncishiswe izingozi.”
Ngaphezu kwalokho, “bheka ukuthi isizinda sesevisi osisebenzisayo sikhona yini ku-PSL,” uyeluleka. "Uma kungenjalo, konjiniyela be-AppSec: Qaphela izingozi ezishiwo futhi uzinakekele ngokuthatha ukuthi zonke izicelo zesayithi elifanayo azithembekile."
- I-SEO Powered Content & PR Distribution. Khuliswa Namuhla.
- I-PlatoData.Network Vertical Generative Ai. Zinike Amandla. Finyelela Lapha.
- I-PlatoAiStream. I-Web3 Intelligence. Ulwazi Lukhulisiwe. Finyelela Lapha.
- I-PlatoESG. Ikhabhoni, I-CleanTech, Amandla, Environment, Ilanga, Ukuphathwa Kwemfucuza. Finyelela Lapha.
- I-PlatoHealth. I-Biotech kanye ne-Clinical Trials Intelligence. Finyelela Lapha.
- Source: https://www.darkreading.com/cloud-security/1-click-takeover-bug-aws-apache-airflow-risk
