EC2 Metadata Exposure via SSRF

Researchers Mitigate Exposure of EC2 Metadata via SSRF

This fully mitigates exposure of EC2 Metadata via SSRF as SSRF vulnerabilities do not generally expose the ability to specify headers, and an attacker would need to determine the secret in addition,” the researchers added.

Recommended Security Measures

Additionally, users are advised to consider applying WAF rules, at the concerned endpoint, to disallow requests from flagged IP addresses or the ones with “169.254.169.254” which is the internal IP used by AWS (as well as Azure and Google Cloud) to serve Instance Metadata to EC2 instances.

Campaign Details

Threat actors conducted initial reconnaissance on March 13 from IP 193.41.206.72, researchers added. The main campaign began two days later from IP 193.41.206.189, cycling through multiple IPs within the same ASN over six days, before tapering off and ending by March 25.

“All IP addresses in the campaign belong to the ASN:34534. This ASN is owned by a French company “FBW NETWORKS SAS“, even though geographically the IPs are based in both France and Romania.”

Conclusion

The researchers have successfully mitigated the exposure of EC2 Metadata via SSRF, by addressing the vulnerability and providing recommended security measures. The campaign details highlight the importance of monitoring and tracking IP addresses to prevent such attacks.

FAQs

Q: What is SSRF?

A: SSRF stands for Server-Side Request Forgery, a type of vulnerability that allows an attacker to make requests to internal or external servers.

Q: How does SSRF expose EC2 Metadata?

A: SSRF vulnerabilities can expose EC2 Metadata by allowing attackers to make requests to internal IP addresses, including the internal IP used by AWS (169.254.169.254) to serve Instance Metadata to EC2 instances.

Q: What are the recommended security measures to prevent SSRF attacks?

A: Users are advised to consider applying WAF rules, at the concerned endpoint, to disallow requests from flagged IP addresses or the ones with “169.254.169.254” which is the internal IP used by AWS (as well as Azure and Google Cloud) to serve Instance Metadata to EC2 instances.

Q: What is the ASN:34534?

A: ASN:34534 is the Autonomous System Number owned by a French company “FBW NETWORKS SAS“, even though geographically the IPs are based in both France and Romania.