"We identified a way to abuse an undocumented ECS internal protocol to grab AWS credentials belonging to other ECS tasks on the same EC2 instance. A malicious container with a low‑privileged IAM role can obtain the permissions of a higher‑privileged container running on the same host."
"The vulnerability identified by Sweet Security essentially allows for privilege escalation by allowing a low-privileged task running on an ECS instance to hijack the IAM privileges of a higher-privileged container on the same EC2 machine by stealing its credentials."
Cybersecurity researchers demonstrated an end-to-end privilege escalation chain in Amazon Elastic Container Service (ECS) that attackers can exploit for lateral movement and sensitive data access. Named ECScape, this vulnerability allows a low-privileged IAM role task to hijack credentials from a higher-privileged container on the same EC2 instance. This occurs via an undocumented internal protocol and a metadata service that exposes the temporary credentials associated with tasks, enabling malicious containers to assume more privileged roles and impersonate the ECS agent.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]