CloudFront Instance Takeover: Missing Origin Elastic Beanstalk Instance

This plugin recognizes instances of CloudFront configured to be the source and application of Elastic Beanstalk.

Risk Level: High

Description: 

This plugin recognizes instances of CloudFront configured to be the source and application of Elastic Beanstalk. This setup can lead to acquisitions of domains where a malicious user is able to download content that might damage a corporate brand image on another AWS account with the same DNS name. This vulnerability is used by an attacker to deface, if not patched, your subdomains.

PingSafe strongly recommends ensuring that all such CloudFront instances are removed.

About the Service :

Amazon CloudFront is a web service that accelerates your online content delivery to your users, such as.html,.css,.js, or picture files. CloudFront provides your content over a global data center network known as edge locations. When a user requires the material you provide with CloudFront, the request is routed to the lowest delay location, which ensures the optimum performance for the content.

Impact : 

This configuration can lead to the domain acquisition in which a malicious person can upload content that damage the corporate image to an instance with the same DNS name on another AWS account. A vulnerability is used by an attacker to deface your subdomains if not patched.


What is Account Takeover?

The takeover of accounts is a kind of theft of personal identification and fraud in which a hostile third party has access to user credentials successfully. By acting as true users, cyber thieves can modify account information, send emails, steal financial or sensitive information or utilize any information gained in order to access more accounts in the business.

Steps to reproduce :

  1. Log In to AWS Console.
  2. Navigate to Cloudfront dashboard. (https://console.aws.amazon.com/cloudfront/ )
  3. Move to “Distributions” and click on the distribution you want to examine.
  4. Then move to “Origins” and check the Origin Domain. If the domain contains .elb that suggests it is elastic beanstalk.
  5. Next, check for the domain in the EC2 elastic beanstalk load balancer.
  6. We can clearly see that it is not present that suggests that the origin elastic beanstalk instance is missing.
  7. Repeat steps for other distributions.

Steps for remediation :

  1. Log In to AWS Console.
  2. Navigate to Cloudfront dashboard. (https://console.aws.amazon.com/cloudfront/ )
  3. Move to “Distributions” and click on the distribution you want to examine.
  4. Then move to “Origins” and check the Origin Domain. If the domain contains .elb that suggests it is elastic beanstalk.
  5. Next, check for the domain in the EC2 elastic beanstalk load balancer.
  6. We can clearly see that it is not present that suggests that the origin elastic beanstalk instance is missing.
  7. Next, in order to overcome this issue we will delete the distribution with missing  origin elastic beanstalk instance.
  8. We will select the distribution and click on “Actions” and click on “Delete”.
  9. Repeat steps for other distributions.

References: