What is the recent vulnerability identified in AWS Systems Manager (SSM) Agent?

A vulnerability has been identified in the AWS Systems Manager (SSM) Agent that could allow attackers to execute arbitrary code with elevated privileges. The flaw stems from improper input validation within the AWS SSM Agent, a core component used to remotely manage and configure EC2 instances and on-premises servers across AWS environments worldwide.

Who discovered the AWS SSM Agent vulnerability?

The vulnerability was discovered by security researcher Elad Beber, who followed responsible disclosure procedures by reporting it to AWS on February 12, 2025.

How does the SSM Agent vulnerability work?

When an SSM document is executed, the plugin ID is used as a directory name where the _script.sh file is created and executed with root privileges. Under normal circumstances, this plugin name is used as a subdirectory name with the directory expected to reside under: /var/lib/amazon/ssm/INSTANCE_ID/document/orchestration/. Due to the flawed validation, an attacker can manipulate the plugin ID to create directories and execute scripts in unintended locations on the filesystem.

What actions should AWS users take to protect their systems?

Users should update to the latest AWS SSM Agent version (3.3.1957.0 or newer) and control who can send plugins to the SSM Agent. It's important to implement proper access controls for SSM document execution.

Why is this vulnerability particularly concerning?

This vulnerability is particularly concerning because it could allow attackers to execute code with root privileges, potentially leading to complete system compromise. The AWS SSM Agent is widely deployed across AWS environments worldwide, making this a high-impact vulnerability.

What systems are affected by this vulnerability?

All systems running AWS SSM Agent versions prior to 3.3.1957.0 are potentially affected, including EC2 instances and on-premises servers that are managed using AWS Systems Manager.

Advisory

Researchers report path traversal vulnerability in AWS SSM Agent's Plugin ID Validation

published: April 9, 2025

Take action: If you are using AWS SSM Agent, update to version 3.3.1957.0 or newer on all your systems to patch this flaw. Additionally, review existing SSM documents for suspicious plugin IDs and restrict who can create or modify these documents in your AWS environment.

Learn More

A vulnerability has been identified in the AWS Systems Manager (SSM) Agent that could allow attackers to execute arbitrary code with elevated privileges.

The flaw, discovered by researcher Elad Beber, stems from improper input validation within the AWS SSM Agent, a core component used to remotely manage and configure EC2 instances and on-premises servers across AWS environments worldwide.

The vulnerability resides in the ValidatePluginId function within the pluginutil.go file in the AWS SSM Agent GitHub repository (https://github.com/aws/amazon-ssm-agent). This function fails to properly sanitize user inputs on plugin IDs, allowing attackers to include malicious path traversal sequences such as '../' in the plugin ID.

When an SSM document is executed, the plugin ID is used as a directory name where the _script.sh file is created and executed with root privileges. Due to the flawed validation, an attacker can manipulate the plugin ID to create directories and execute scripts in unintended locations on the filesystem.

Under normal circumstances, this plugin name is used as a subdirectory name in which the file _script.sh is created and executed with root privileges, with the directory expected to reside under: /var/lib/amazon/ssm/INSTANCE_ID/document/orchestration/

In a demonstrated exploit, an attacker could set the plugin name in an SSM document to a path traversal string such as '../../../../../../malicious_directory'. When this document is executed, the SSM Agent erroneously creates directories in unintended locations, such as the /tmp directory.

The SSM Agent would create the directory: /var/lib/amazon/ssm/i-0f0e6cd9737635752/document/orchestration/../../../../../../../../../../tmp/

This resolves to /tmp/, where a _script.sh file is generated and executed with root privileges, potentially enabling privilege escalation and system compromise.

Following responsible disclosure on February 12, 2025, AWS patched the vulnerability on March 5, 2025, with the release of Amazon SSM Agent version 3.3.1957.0. According to the release notes published by AWS on GitHub, they "Add[ed] and use[d] BuildSafePath method to prevent path traversal in the orchestration directory."

Users should update to the latest AWS SSM Agent version and control who can send plugins to the SSM Agent

Researchers report path traversal vulnerability in AWS SSM Agent's Plugin ID Validation

Read More
Critical authentication bypass flaw reported in Samlify Node.js …
Significant security flaw discovered in PostgreSQL PL/Perl
Claude Desktop Extensions Vulnerability Exposes Users to Zero-Click …
Tenable reports possible compromise vector in Google Cloud …
Vulnerabilities Reported in Popular VSCode Extensions