Pierluigi Paganini
September 28, 2022
nuvola is the new open source security tool made by the Italian cyber security researcher Edoardo Rosa (@_notdodo_), Security Engineer at Prima Assicurazioni. The tool was released during the RomHack 2022 security conference in Rome. The tool helps the security community to address the complex topic of privilege escalation on cloud environments such as AWS.
The Privilege Escalations Drama
Privilege escalation is one common practice used by bad actors to gain entry into your most sensitive systems. They may start with a low-level account, but they exploit permissions and pathways to work themselves up to an intimidating level of privilege where they’re poised to cause irreparable damage and also gain persistence or lockdown the account.
Forrester estimated that 80% of security breaches involve privileged credentials. Many organizations have adopted cloud with such enthusiasm that they’ve failed to cover the fundamentals in security leaving many gaps for bad actors to find their way in.
Just like other forms of attacks, privilege escalation can go unnoticed, especially in a complex cloud environment where companies already have difficulty gaining visibility into their internal users, identities, and actions. A bad actor could spend days, if not weeks, inside your systems and you may not even know it. They could even expose sensitive data and, like in 50% of cases, you might be completely unaware of the breach until a third party informs you of it.
When it comes to AWS security, Identity and Access Management (IAM) permission misconfigurations have long held a spotlight, but that doesn’t mean they’re any easier to avoid. In reality, preventing privilege escalation begins with making it as difficult as possible applying the principle of least privilege.
Still, with common configuration issues and other vulnerabilities becoming commonplace in AWS architecture, it’s important to understand how bad actors could exploit our environments by understanding the most common AWS privilege escalations used.
Cloud Security Context
Cloud is a continuously evolving space with new services, strategies, and technologies springing up seemingly overnight. Due to this, organizations regularly change and adapt their approach to cloud and cloud security.
A report from the Cloud Security Alliance (Technology and Cloud Security Maturity, 2022) states that 84% of organizations report having no automation; since Identity and Access Management is a key factor in securing companies, automating the detection of possible attack paths may reduce the attack surface and avoid potential data breaches.
Beyond the technological aspects, another compendium of Cloud Security Alliance (The State of Cloud Security Risk, Compliance, and Misconfigurations, 2022) states that the lack of knowledge and expertise are well-known issues within the information security industry.
It is no surprise then, that lack of knowledge and expertise was consistently identified as:
Also, from the same report, the primary reason organizations state for having a security incident due to misconfigurations is lack of visibility (68%).
A global overview is vital for both an attacker and a defender because it allows both security analysts and attackers to immediately find attack paths to remediate or abuse the system.
A full understanding of the environment from a high-level enables companies to establish priorities and fulfill security requirements.
While IAM security is security is very important an attacker may also abuse misconfigurations on the environment like exposed resources (Alteryx, Twilio) or services; a Cloud Security Posture Management (CSPM) can help companies securing their asset defining standard controls (CIS, PCI, NIST, SOC2) and custom ruleset to avoid false positives or increase detection of security issues.
While some tools that support AWS are very useful and greatly developed, many of them lack a global overview or features and the results must be manually reviewed, aggregated and ingested in other tools or custom scripts.
Entering nuvola
nuvola (with the lowercase n) is a tool to dump and perform automatic and manual security analysis on AWS environments configurations and services using predefined, extensible and custom rules created using graphs and a simple Yaml syntax.
The general idea behind this project is to create an abstracted digital twin of a cloud platform. For a more concrete example: nuvola reflects the BloodHound traits used for Active Directory analysis but on cloud environments.
The usage of a graph database also increases the possibility of finding different and innovative attack paths and can be used as an offline, centralized and lightweight digital twin.
Like BloodHound, nuvola uses the advantages and principles of the graph theory (implemented in the Neo4j graph database) to discover, and reveal relationships between objects within a cloud ecosystem enabling the engineers to perform analysis.
Since Prima Assicurazioni believes in open source, the tool it’s created with a community mindset and without custom or specific constraints to help us and other companies secure the AWS ecosystems. The tool also supports the creation of detection rules using YAML files to help experts and non-experts to contribute to the project.
For example using nuvola we can define a Yaml file to find all EC2 instances with the metadata endpoint not upgraded to v2. The syntax is easier that the one offered by Cypher, the query engine for Neo4j, allowing even non-hardcore analyst to perform assessments.
Figure. Output of a query to find vulnerable EC2 instances
The main advantage of using graphs is that we are able to find paths: from A to B.
We can find at vulnerable path using a Yaml file to query all paths from all users or roles to a target; in this case the policy called AdministratorAccess; abusing the actions PassRole and CreateStack.
Figure. List of AWS roles which can perform privilege escalation to administrator
The output shown in the above image states that cloudformation-deployer role can reach the policy AdministratorAccess; as well as the role temp-backend-api-role-runner.
The nuvola source code is available on GitHub. For further technical details about the inner working and the usage of the tool check the project wiki and RomHack 2022 slide deck.
About the author: Luca Mella, Cyber Security Expert, Response & Threat Intel | Manager
In 2019, Luca was mentioned as one of the “32 Influential Malware Research Professionals”. He is a former member of the ANeSeC CTF team, one of the firsts Italian cyber war-game teams born back in 2011.
Follow me on Twitter: @securityaffairs and Facebook
| [adrotate banner=”9″] | [adrotate banner=”12″] |
(SecurityAffairs – hacking, cloud computing)
[adrotate banner=”5″]
[adrotate banner=”13″]
Pierluigi Paganini
September 28, 2023
