Ethical Hacking News
A critical vulnerability has been discovered in Amazon Web Services' (AWS) Simple Systems Manager (SSM) Agent, which could have allowed attackers to execute arbitrary code with elevated privileges on EC2 instances and on-premises servers. The vulnerability was addressed by AWS after responsible disclosure.
A critical vulnerability was discovered in Amazon Web Services (AWS) Simple Systems Manager (SSM) Agent, allowing attackers to execute arbitrary code with elevated privileges.The vulnerability, a path traversal flaw, arose from improper validation of plugin IDs and allowed attackers to manipulate the filesystem.Proper input validation and sanitization are crucial when working with third-party plugins and scripts to prevent similar vulnerabilities.AWS released a patch (version 3.3.1957.0) addressing the vulnerability, which added a new method called "BuildSafePath" to prevent path traversal in the orchestration directory.The discovery highlights the importance of ongoing security monitoring and testing for AWS customers.
Amazon Web Services (AWS) has recently addressed a critical vulnerability in its Simple Systems Manager (SSM) Agent, which could have allowed attackers to execute arbitrary code with elevated privileges on EC2 instances and on-premises servers. The SSM Agent is a component of AWS that enables administrators to remotely manage, configure, and execute commands on EC2 instances and on-premises servers.
The vulnerability, discovered by Cymulate, was a path traversal flaw arising from improper validation of plugin IDs. This allowed attackers to manipulate the filesystem and execute arbitrary code with elevated privileges. The issue was rooted in a function named "ValidatePluginId" within pluginutil.go.
The discovery of this flaw highlights the importance of proper input validation and sanitization when working with third-party plugins and scripts. In this case, the vulnerability was caused by a failure to properly sanitize input, allowing attackers to supply malicious plugin IDs containing path traversal sequences (e.g., ../). This allowed an attacker to furnish a specially crafted plugin ID when creating an SSM document (e.g., ../../../../../../malicious_directory) to execute arbitrary commands or scripts on the underlying file system, paving the way for privilege escalation and other post-exploitation actions.
In response to responsible disclosure, AWS released Amazon SSM Agent version 3.3.1957.0, which addressed the vulnerability by adding a new method called "BuildSafePath" to prevent path traversal in the orchestration directory. This patch ensures that the plugin IDs are properly validated and sanitized, preventing malicious attacks.
The discovery of this flaw also underscores the importance of ongoing security monitoring and testing for AWS customers. As AWS continues to evolve and improve its services, it is essential for customers to stay vigilant and up-to-date with the latest security patches and best practices.
In addition, this vulnerability highlights the need for secure coding practices and input validation when working with third-party plugins and scripts. Developers should always prioritize proper sanitization and validation of user input to prevent similar vulnerabilities in the future.
The Amazon EC2 SSM Agent path traversal flaw is a critical reminder of the importance of ongoing security monitoring and testing, as well as the need for secure coding practices and input validation. As AWS continues to evolve and improve its services, it is essential for customers to stay informed and up-to-date with the latest security patches and best practices.
Related Information:
https://www.ethicalhackingnews.com/articles/The-Amazon-EC2-SSM-Agent-Path-Traversal-Flaw-A-Critical-Vulnerability-Exposed-ehn.shtml
https://thehackernews.com/2025/04/amazon-ec2-ssm-agent-flaw-patched-after.html
https://www.area51net.com/HOME/articleType/ArticleView/articleId/5004767/Amazon-EC2-SSM-Agent-Flaw-Patched-After-Privilege-Escalation-via-Path-Traversal
Published: Tue Apr 8 13:23:28 2025 by llama3.2 3B Q4_K_M
