SentinelOne researchers have found a serious vulnerability in multiple cloud services, including popular services from AWS. The threat has since been patched.
SentinelLabs is an extension of security organization SentinelOne. The organization looks for and finds vulnerabilities in commonly used technology. Findings are first shared with the supplier or developer of a service or product. Only after a patch does SentinelLabs openly communicate about an incident. An important precaution to prevent abuse during the vulnerability.
Earlier this year, SentinelLabs found a vulnerability in Eltima SDK. Multiple vendors, including AWS, incorporate Eltima SDK into their products and cloud services. Millions of global users come into contact with Eltima SDK. Their organizations were at risk for months.
The method
One of the tools in Eltima SDK makes it possible to daisy-chain a local USB device to a remote device. For example, a virtual machine in AWS WorkSpaces, one of the services that Eltima SDK offers to users. SentinelLabs found vulnerabilities in the drivers through which Eltima SDK redirects USB data. The organization created an overflow to run code in the kernel of an operating system.
The consequence
SentinelLabs used different methods for the various solutions found to be vulnerable, including Amazon AppStream, NoMachine for Windows, Accops HyWorks for Windows, FlexiHub and Donglify. The risk was the same for each solution. Code could be run on the kernel of the operating system on which Eltima SDK was used. For example, to grant authorization.
Accops responded to the news with an FAQ page for concerned users, as did NoMachine. Every supplier, including FlexiHub and Donglify, patched the software automatically. Since AWS WorkSpaces users have the option to disable automatic maintenance, SentinelLabs recommends that they update the client manually.
