What is the ALBeast vulnerability related to AWS Application Load Balancer (ALB)?

The ALBeast vulnerability is a security issue associated with AWS Application Load Balancer (ALB) authentication configurations. It arises not from a flaw in the ALB itself but from misconfigurations during setup, where applications fail to validate the token signer or mistakenly accept traffic from untrusted sources, potentially leading to unauthorized access and data exfiltration.

How does the ALBeast vulnerability affect AWS ALB users?

The vulnerability allows attackers to create their own ALB instance with authentication configured under their control. This rogue ALB can sign a token that appears legitimate but is actually forged, allowing the attacker to bypass authentication and authorization checks and gain access to targeted applications, especially if the application is publicly accessible or partially accessible to the attacker.

What recommendations have been provided to mitigate the ALBeast vulnerability?

AWS advises customers to restrict their applications to only accept requests from their ALB by using proper security group settings, validate token signers, and follow ALB security best practices to prevent unauthorized access.

What is the cause of the ALBeast vulnerability?

The ALBeast vulnerability is caused by misconfigurations in ALB authentication setups, where developers fail to properly validate the token signer or configure security settings, allowing unauthorized access through improperly authenticated requests.

What has AWS clarified regarding the ALBeast vulnerability?

AWS clarified that the ALBeast issue is not an inherent vulnerability within the ALB itself but rather a result of misconfigured customer applications. AWS has emphasized that customers need to ensure their applications are securely configured to avoid unauthorized access.

Advisory

ALBeast vulnerability exposes AWS Application Load Balancer Configuration

Q: What has AWS done to address the ALBeast vulnerability?

AWS has updated its documentation to emphasize the importance of verifying the signer field in JWT headers and configuring security groups to restrict traffic to only trusted ALB sources. AWS has also contacted affected customers directly to provide guidance on secure configuration practices.

published: Aug. 27, 2024

Take action: If you are using AWS ALB with authentication, check the documentation to validate that your ALB is not vulnerable to ALBeast.

Learn More

AWS has come under scrutiny due to the discovery of the ALBeast vulnerability, an issue related to its Application Load Balancer (ALB) authentication configuration. This flaw highlights the inherent challenges in the shared responsibility model of cloud security.

The ALBeast vulnerability arises not from a defect in the ALB itself, but from misconfigurations made by users during the setup of ALB authentication.

According to Jason Soroko, Senior Vice President of Product at Sectigo, the problem is rooted in improper authentication setups, where applications either fail to validate the token signer or mistakenly accept traffic from untrusted sources, bypassing critical security protocols. This flaw can potentially expose thousands of applications relying on AWS's ALB to unauthorized access and data exfiltration.

The vulnerability allows threat actors to create their own ALB instance with authentication configured under their control. This rogue ALB can then sign a token that appears legitimate but is forged with the identity of a victim, allowing the attacker to bypass authentication and authorization checks and gain access to targeted applications. This scenario occurs if the application is publicly accessible or if the attacker has some level of access already. AWS has since updated its documentation to emphasize the importance of verifying the signer field in JWT headers and configuring security groups to restrict traffic to only trusted ALB sources.

Liad Eliyahu, Research Lead at Miggo, described the flaw as systemic, warning that it affects a wide range of applications integrated with AWS ALB. Miggo's investigation revealed that unless developers act quickly to secure their configurations, their applications remain vulnerable to exploitation.

AWS has responded to the situation by clarifying that the issue is not an inherent vulnerability within the ALB but rather a result of misconfigured customer applications. AWS emphasized that such misconfigurations allow unauthorized access, advising customers to restrict their applications to only accept requests from their ALB by using proper security group settings and following ALB security best practices. AWS has also directly contacted affected customers to guide them on secure configuration practices.

ALBeast vulnerability exposes AWS Application Load Balancer Configuration

Read More
Critical path traversal flaw in AdonisJS enable server …
Snowflake Customers Targeted in Data Theft Following Alleged …
New React Server vulnerabilities reported, enable Denial-of-Service attacks …
Critical Gogs flaw enables complete code repository takeover
Critical Flaw Reported in AWS CodeBuild