Risks posed by pre-configured images for Amazon's cloud

Amazon cloud customers have access to more than 8,000 pre-configured Amazon Machine Images (AMIs) worldwide. That many of these AMIs contain a variety of security holes was demonstrated by Darmstadt-based researchers, who examined about 1,100 AMIs back in June. Now, a group of researchers at the EURECOM research centre in France have investigated more than half of the images that are available worldwide and identified the same vulnerabilities, as well as additional problems.

The Windows AMIs, which represented a small proportion of the 5,300 images that were examined, were particularly badly affected. Security issues were found in 246 out of 253 Windows appliances. A bug that allows arbitrary code to be executed when a certain web site is accessed in Internet Explorer was especially common.

A number of Linux AMIs still included the old versions of Debian OpenSSL/SSH that generate weak SSH keys; this bug has been known about since 2008. However, obsolete software isn't the only problem that was found in the AMIs – the researchers frequently discovered AWS Access Keys that allow services to be started at the key holder's expense.

They also discovered private SSH keys, or even SSH connections, that only required a password; the latter are vulnerable to brute-force attacks. Even deleting sensitive data cannot always be relied upon, as the researchers managed to reconstruct an image's files using Linux tools such as extundelete. In the process, they recovered several supposedly deleted AWS and SSH keys.

On the whole, the researchers found authentication data in about one-fifth of the examined AMIs and were able to reconstruct deleted files in 98 per cent of images. Amazon has informed its customers of these problems and has released guidelines on how to avoid AMI security issues. A tutorial is provided to help developers create secure AMIs.

(crve)