Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug]: AWS privilege escalation false positives #3807

Closed
rieck-srlabs opened this issue Apr 17, 2024 · 0 comments · Fixed by #3823
Closed

[Bug]: AWS privilege escalation false positives #3807

rieck-srlabs opened this issue Apr 17, 2024 · 0 comments · Fixed by #3823
Labels
bug provider/aws Issues/PRs related with the AWS provider severity/medium Results in some unexpected or undesired behavior.

Comments

@rieck-srlabs
Copy link
Contributor

Steps to Reproduce

Vanilla AWS setup: I'm running the prowler aws command against a AWS account. The AWS identity has the required policies assigned according to Prowler's documentation.

Expected behavior

Only valid privilege escalation paths be reported by the iam_policy_allows_privilege_escalation rule.

Actual Result with Screenshots or Logs

Prowler reports the following privilege-escalation vector:

Custom Policy arn:aws:iam::*********:policy/********** allows privilege escalation using the following actions: {'cloudformation:CreateStack', 'cloudformation:DescribeStacks'}.

I don't think these two actions suffice for privilege escalation (see also: Context below)

How did you install Prowler?

From pip package (pip install prowler)

Environment Resource

Workstation

OS used

macOS

Prowler version

3.16.0

Pip version

23.3.1

Context

The change introduced with #2655 appears to have incorrectly defined some of the groups. Consider the following code from here

            "PassRole+CloudFormation": {
                "cloudformation:CreateStack",
                "cloudformation:DescribeStacks",
            },

The rule's name suggest that PassRole is required in addition to any cloudformation actions. This aligns with the privilege escalation path 20 highlighted here. However, iam:PassRole is missing in the definition.

A cursory check suggests this problem exists for the following two privilege escalation vectors:

  • "PassRole+DataPipeline"
  • "PassRole+CloudFormation"
@rieck-srlabs rieck-srlabs added bug status/needs-triage Issue pending triage labels Apr 17, 2024
@rieck-srlabs rieck-srlabs mentioned this issue Apr 19, 2024
Merged
@jfagoagas jfagoagas added provider/aws Issues/PRs related with the AWS provider severity/medium Results in some unexpected or undesired behavior. and removed status/needs-triage Issue pending triage labels Apr 19, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug provider/aws Issues/PRs related with the AWS provider severity/medium Results in some unexpected or undesired behavior.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(aws): Corrects privilege escalation vectors
2 participants
@jfagoagas @rieck-srlabs