Lightspin has announced the discovery of a cross-account access vulnerability discovered in AWS’s SageMaker Jupyter Notebook Instance.
Lightspin’s research team found this vulnerability as part of its ongoing research into security in data science tools. The team investigated Amazon’s SageMaker which is a fully managed machine learning (ML) service in AWS.
Amazon SageMaker helps data scientists and developers to prepare, build, train, and deploy high-quality machine learning (ML) models quickly by bringing together a broad set of capabilities purpose-built for ML. SageMaker launched in 2017 and is used by some of the world’s leading global enterprises, meaning any discovery of areas of exploitation could have widespread impact.
The research team investigated the potential vulnerabilities that could be attached to Amazon’s SageMaker, and more specifically the Jupyter Notebook Instances. During their research, the team found that potential attackers had been able to run any code on an AWS SageMaker Jupyter Notebook Instance across accounts.
This allowed them to access the Notebook Instance metadata endpoint and steal access tokens for the attached role. Using the access token, the attacker could have read data from S3 buckets, created VPC endpoints, and taken more potentially harmful actions that were allowed by the SageMaker execution role and the “AmazonSageMakerFullAccess” policy.
Since the discovery of this vulnerability, the Lightspin team contacted the AWS Security team to alert them of the findings. As of this writing, the vulnerability has since been remediated.
“It is nearly impossible for a company to have complete security control when a single app flaw can leave a door open to cyberattacks,” said Gafnit Amiga, Director of Research at Lightspin. “We believe in advanced research of managed services in order to enhance the product’s detection capabilities and to improve the resilience of the cloud providers for everyone.”