Earlier this year in January 2021, Cloud security researchers from Wiz.io accidentally uncovered a ‘novel’ class of Domain Name Service (DNS) flaws in Amazon Web Services' Route53. Researchers were left surprised after they realized that its self-service domain registration system is allowing them to create a new hosted zone with the same name as the real AWS name server and directed it to their IP address.
Cloud security researchers received traffic from more than 15,000 different AWS customers and a million endpoint devices, all after registering a bogus AWS name server as ns-852.awsdns-42.net, the same name as an actual AWS name server. However, researchers managed to gather a treasure trove of information on Fortune 500 companies including 45 US government agencies and 85 government agencies overseas.
"We were trying to figure out how to break DNS and we had no idea what traffic we were getting at first. In theory, if you register a name server name ... it shouldn't have any impact. We understood then that we were on top of an unbelievable set of intelligence, just by tapping for a few hours into a small portion of the network. I called it a nation-state intelligence capability using a simple domain registration," says Ami Luttwak, co-founder and CTO of Wiz.io as well as a former member of Microsoft's cloud security team.
AWS patched the security hole in mid-February, shortly after the researchers alerted it back in January. However, two other vendors, the researchers contacted about the flaw have not yet fixed it in their DNS services. An AWS spokesperson did not provide any details but confirmed that Route53 "is not affected by this issue," adding that the service "prevents the creation of Hosted Zones for DNS names associated to Route53 name servers."
“All it took to close the vulnerability in AWS Route53 was placing the official AWS name-server name on a so-called ‘ignore’ list. The problem was anyone could register the official name servers on the platform, so they put the list of their name servers on an 'ignore' list so attackers can't register them anymore,” Shir Tamari, head of Wiz.io security research team, explained.
On May 19, 2020, researchers from the Tel Aviv University and the Interdisciplinary Center in Israel identified a similar flaw in the execution of DNS recursive resolvers that can be exploited to launch disruptive DDoS attacks against any organization.