Security Flaw in Amazon Linux AMI Exploited

Photo of Amazon Web Services Logo

On October 15th, 2021 Amazon released information about a new software vulnerability report that comprises a total of 8 software vulnerabilities. The vulnerabilities affect Amazon’s Linux AMI which is one of their OS (Operating System) Linux images designed to work with AWS (Amazon Web Services). In the recent report that points to a problematic httpd24 component, it is important to highlight that one high risk and two critical risk software vulnerabilities were also mentioned. One of the more severe software vulnerabilities has been confirmed as being exploited in the wild by cybercriminals for malicious purposes.

This is yet another iteration of the HTTPd component infection that arrives after a series of similar incidents reported around the industry affecting open-source components and cloud computing services. At a time when ransomware attacks are picking up again, and while 2021 is recording dangerous software vulnerabilities, considerable pressure is falling on security teams and developers to avoid writing insecure code.

About Amazon Linux AMI

According to Amazon’s AWS portal (Amazon Web Services), Amazon Linux AMI is “a supported and maintained Linux image provided by Amazon Web Services for use on Amazon Elastic Compute Cloud (Amazon EC2).” Amazon Machine Image (AMI) is a cross-platform virtual component that by design creates a virtual machine or VM (instances) within Amazon Elastic Compute Cloud (EC2). Without AMI, there would be no way to run web applications, deploy APIs, run images, and more on the cloud. AMI is very beneficial to large Big Data projects as well as having the benefit of offering template presets for cloud architecture. AMI is also key for app development, as it allows app developers to quickly deploy new features and instances while creating apps.

Technical Details Surrounding The Linux AMI Security Flaws

In this case, the software vulnerabilities affecting Amazon’s Linux AMI are concentrated on the HTTPd component/package. They are categorized as follows with the correlated ID codes from the CVE database;

  • CVE-2021-40438
  • CVE-2021-41773
  • CVE-2021-42013

CVE-2021-40438

A high-risk vulnerability, type Server-Side-Request Forgery (SSRF). The disclosed vulnerability allows a remote attacker to perform SSRF attacks and exists due to insufficient validation of user-supplied input within the mod_proxy module in Apache HTTP Server. A remote attacker can send a specially crafted HTTP request with a chosen uri-path and trick the webserver to initiate requests to arbitrary systems. Successful exploitation of this vulnerability may allow a remote attacker to gain access to sensitive data, located in the local network or send malicious requests to other servers from the vulnerable system. Amazon Linux AMI: 2017.03 is affected by this.

CVE-2021-41773

A critical risk vulnerability, type Path Traversal. The vulnerability allows a remote attacker to perform directory traversal attacks and exists due to input validation error when processing directory traversal sequences. A remote attacker can send a specially crafted HTTP request to map URLs to files outside the expected document root. If files outside of the document root are not protected by “require all denied” these requests can succeed. Additionally, this flaw could leak the source of interpreted files like CGI scripts. The vulnerability can be used to execute arbitrary OS commands on the system.

Important note: this vulnerability is being actively exploited in the wild. Amazon Linux AMI: 2017.03 is affected by this.

CVE-2021-42013

A critical risk vulnerability, type OS Command Injection. The vulnerability allows a remote attacker to execute arbitrary shell commands on the target system and exists due to an insufficient fix for the path traversal vulnerability #VU57063 (CVE-2021-41733). A remote unauthenticated attacker can send a specially crafted HTTP request to the affected server and execute arbitrary OS commands on the target system. Successful exploitation of this vulnerability may result in the complete compromise of a vulnerable system. Amazon Linux AMI: 2017.03 is affected by this.

Safety Recommendations For Users

Because one of the vulnerabilities is being exploited for malicious purposes, updates must be applied as swiftly as possible. For cybersecurity purposes, Amazon recommends the following which is a ‘correction’ for this issue: “Run yum update httpd24 to update your system“.

Tech researcher & communications specialist
Mirza has an education background in Global Communications, has worked in advertising, marketing, journalism and television over the years while living in several different countries. He is now working to consolidate news and outreach at VPNoverview.com, while in his free time he likes to work on documentary projects, read about sociology and write about world events.