CyberSecurityBoard
Sponsor Register Login

AWS Systems Manager Plugin Vulnerability Let Attackers Execute Arbitrary Code

In a demonstrated exploit, an attacker could set the plugin name in an SSM document to a path traversal string such as ‘../../../../../../malicious_directory’. When this document is executed, the SSM Agent erroneously creates directories in unintended locations, such as the /tmp directory. The vulnerability emerges from a lack of rigorous validation that permits attackers to manipulate these plugin IDs, resulting in unauthorized file creation and script execution with root privileges. Successful exploitation could allow attackers to create directories in unintended locations, execute arbitrary scripts with root privileges, and potentially escalate privileges by writing files to sensitive areas of the system. The vulnerability, stemming from improper input validation within the ValidatePluginId function, affects a core component used to manage EC2 instances and on-premises servers across AWS environments worldwide. This function fails to properly sanitize user inputs on plugin IDs, allowing attackers to include malicious path traversal sequences such as ‘../’ in the plugin ID. “The SSM Agent is a crucial component for remotely managing and configuring EC2 instances and on-premises servers,” explains the security advisory. Cloud administrators are urged to enforce proper input validation and maintain vigilant monitoring for unusual system behaviors to protect sensitive data and ensure system integrity. According to Cymulate’s report, the vulnerability resides in the ValidatePluginId function within the pluginutil.go file in the official AWS SSM Agent GitHub repository. For organizations using AWS SSM Agent, immediate remediation through patching is critical to mitigate potential exploitation attempts, as adversaries continue to target cloud infrastructure with increasingly sophisticated techniques. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. This resolves to a location where a _script.sh file is generated and executed with root privileges, potentially enabling privilege escalation and system compromise. “Add and use BuildSafePath method to prevent path traversal in the orchestration directory,” stated the release notes published by AWS on GitHub.

This Cyber News was published on cybersecuritynews.com. Publication date: Wed, 09 Apr 2025 08:00:13 +0000


Cyber News related to AWS Systems Manager Plugin Vulnerability Let Attackers Execute Arbitrary Code

9 Best DDoS Protection Service Providers for 2024 - eSecurity Planet content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More. One of the most powerful defenses an organization can employ against distributed ...
1 year ago Esecurityplanet.com
GCP to AWS migration: A Comprehensive Guide - Embarking on a GCP to AWS migration journey can be both exciting and challenging. Before we dive into the technical details, let's explore why businesses might consider migrating from GCP to AWS. While GCP offers a range of services, AWS boasts an ...
1 year ago Feeds.dzone.com
CrowdStrike Demonstrates Cloud Security Leadership at AWS re:Invent - CrowdStrike is honored to be named Partner of the Year for several 2023 Geo and Global AWS Partner Awards at Amazon Web Services re:Invent 2023, where we are participating this year as a Diamond Sponsor. These accomplishments demonstrate our ...
1 year ago Crowdstrike.com
Customer compliance and security during the post-quantum cryptographic migration | AWS Security Blog - For example, using the s2n-tls client built with AWS-LC (which supports the quantum-resistant KEMs), you could try connecting to a Secrets Manager endpoint by using a post-quantum TLS policy (for example, PQ-TLS-1-2-2023-12-15) and observe the PQ ...
8 months ago Aws.amazon.com
Shaping the Future of Finance: The Cisco and AWS Collaboration in EMEA - The collaboration between Cisco and Amazon Web Services in the Europe, Middle East, and Africa region-combining each company's market leading strengths-continues to deliver impressive outcomes for our customers, notably within the Financial Services ...
1 year ago Feedpress.me
AWS CloudQuarry: Digging for Secrets in Public AMIs - Money, secrets and mass exploitation: This research unveils a quarry of sensitive data stored in public AMIs. As a best practice, AMI creators should not include credentials, including AWS account credentials, in published AMIs. We wanted to scan all ...
1 year ago Packetstormsecurity.com
CVE-2024-37293 - The AWS Deployment Framework (ADF) is a framework to manage and deploy resources across multiple AWS accounts and regions within an AWS Organization. ADF allows for staged, parallel, multi-account, cross-region deployments of applications or ...
1 year ago Tenable.com
Rundown of Security News from AWS re:Invent 2023 - Amazon Web Services has been unveiling a steady stream of announcements during its AWS re:Invent 2023 event in Las Vegas this week. The focus over the four days, as expected, is on AI as AWS strives to show that its offerings can match - or surpass - ...
1 year ago Darkreading.com
SentinelLabs Details Discovery of FBot Tool for Compromising Cloud Services - SentinelLabs today published a report identifying a Python-based tool that cybercriminals are using to compromise cloud computing and software-as-a-service platforms. Alex Delamotte, senior threat researcher at SentinelLabs, said FBot is used to take ...
1 year ago Securityboulevard.com
7 Rules to Improve AWS Security and Reduce Unwanted Incidents - Security of your AWS infrastructure is ultimately up to you. As the largest cloud services provider, AWS invests heavily to ensure its cloud environment is secure. Much of AWS security is still left to the customer, especially with regard to managing ...
2 years ago Beyondtrust.com
What happens when you accidentally leak your AWS API keys? - My situation had no ill consequences, but it could have if I had used my actual email for the script or if my project was bigger and I had used AWS or another cloud provider and hardcoded those credentials. In a later class I did learn how to safely ...
1 year ago Isc.sans.edu
A Handbook for Managing Containers on Amazon Web Services - Container management is a way to help you create, govern, and maintain your containers. There are tools and services available that can automate the creation, deployment, maintenance, scaling, and monitoring of application or system containers. In ...
2 years ago Trendmicro.com
whoAMI attacks give hackers code execution on Amazon EC2 instances - The attacker only needs an AWS account to publish their backdoored AMI to the public Community AMI catalog and strategically choose a name that mimics the AMIs of their targets. The issue was fixed last year on September 19, and on December 1st AWS ...
4 months ago Bleepingcomputer.com
AWS Key Hunter - A Free Automated Tool to Detect Exposed AWS keys - Security teams should combine this with AWS security best practices, such as enabling CloudTrail logging for API activity monitoring, implementing IAM policies based on least-privilege principles, and rotating credentials via the AWS Secrets Manager ...
4 months ago Cybersecuritynews.com
A Single Cloud Compromise Can Feed an Army of AI Sex Bots – Krebs on Security - “Once initial access was obtained, they exfiltrated cloud credentials and gained access to the cloud environment, where they attempted to access local LLM models hosted by cloud providers: in this instance, a local Claude (v2/v3) LLM model from ...
8 months ago Krebsonsecurity.com
CVE-2023-35165 - AWS Cloud Development Kit (AWS CDK) is an open-source software development framework to define cloud infrastructure in code and provision it through AWS CloudFormation. In the packages `aws-cdk-lib` 2.0.0 until 2.80.0 and `@aws-cdk/aws-eks` 1.57.0 ...
1 year ago
The Embedded Systems and The Internet of Things - The Internet of Things is a quite new concept dealing with the devices being connected to each other and communicating through the web environment. This concept is gaining its popularity amongst the embedded systems that exist - let's say - 10 or ...
1 year ago Cyberdefensemagazine.com
AWS Defaults Silently Introduce New Attack Paths That Let Hackers Escalate Privilege & Account Compromise - Aqua Security researchers identified these high-risk default roles across multiple AWS services, including SageMaker, Glue, and EMR, as well as in popular open-source projects like Ray. Researchers demonstrated that simply importing a malicious model ...
1 month ago Cybersecuritynews.com
IT and OT cybersecurity: A holistic approach - In comparison, OT refers to the specialized systems that control physical processes and industrial operations. OT Technologies include industrial control systems, SCADA systems and programmable logic controllers that directly control physical ...
1 year ago Securityintelligence.com
AWS Systems Manager Plugin Vulnerability Let Attackers Execute Arbitrary Code - In a demonstrated exploit, an attacker could set the plugin name in an SSM document to a path traversal string such as ‘../../../../../../malicious_directory’. When this document is executed, the SSM Agent erroneously creates directories ...
2 months ago Cybersecuritynews.com
AWS Root vs IAM User: What to Know & When to Use Them - In Amazon Web Services, there are two different privileged accounts. One is defined as Root User and the other is defined as an IAM User. In this blog, I will break down the differences of an AWS Root User versus an IAM account, when to use one ...
2 years ago Beyondtrust.com
AWS rolls out ML-KEM to secure TLS from quantum threats - Amazon Web Services (AWS) has added support for the ML-KEM post-quantum key encapsulation mechanism to AWS Key Management Service (KMS), AWS Certificate Manager (ACM), and AWS Secrets Manager, making TLS connections more secure. ML-KEM ...
2 months ago Bleepingcomputer.com
Explore Redis for User Session Management on AWS Elasticache - Just as cities use various systems to keep track of their inhabitants and visitors, web applications rely on user session management to maintain a smooth experience for each person navigating through them. User session management is the mechanism by ...
1 year ago Feeds.dzone.com
CVE-2021-40830 - The AWS IoT Device SDK v2 for Java, Python, C++ and Node.js appends a user supplied Certificate Authority (CA) to the root CAs instead of overriding it on Unix systems. TLS handshakes will thus succeed if the peer can be verified either from the ...
3 years ago
CVE-2021-40831 - The AWS IoT Device SDK v2 for Java, Python, C++ and Node.js appends a user supplied Certificate Authority (CA) to the root CAs instead of overriding it on macOS systems. Additionally, SNI validation is also not enabled when the CA has been ...
3 years ago

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)