Fargate is comparatively safe: Amazon’s design makes the EC2 host, not the container, the security boundary. When multiple tasks with varying IAM roles share the same EC2, the risk of lateral escalation via ECScape increases. AWS did not immediately respond to CSO’s request for comment.Sweet Security has recommended mitigations that include disabling or restricting IMDS access from less-trusted tasks so they can’t obtain instance credentials, avoiding co-hosting low and high-privilege tasks on the same EC2 instance, and switching to AWS Fargate, which provides better task isolation.”AWS Fargate tasks don’t share an underlying host with other tasks each Fargate task runs in its own micro VM with its own isolated IMDS and ECS agent,” Haziz explained. “ECScape does not apply to Fargate because there is no co-tenancy of the instance.”A CVE ID has been requested for ECScape, and Sweet Security has published a proof-of-concept (PoC) code for the vulnerability on GitHub. Haziz also shared a live demo of ECScape, adding that unmitigated instances require no misconfigurations on the user’s part. “All the default behaviors and settings of ECS on EC2 are enough for the attack to work,” he added.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4036655/ecscape-new-aws-ecs-flaw-lets-containers-hijack-iam-roles-without-breaking-out.html
