logo

Database

OS Command Injection In github.com/aws/amazon-ecs-agent

Description

Amazon ECS Container Agent (Windows) is vulnerable to Information Disclosure

Summary

Amazon Elastic Container Service (Amazon ECS) is a fully managed container orchestration service that enables customers to deploy, manage, and scale containerized applications. An issue exists where, under certain circumstances, improper input validation in the FSx Windows File Server volume mounting process allows command injection through specially crafted credentials.

Impact

Improper neutralization of inputs used in an OS command in the FSx Windows File Server volume mounting component in Amazon ECS Agent on Windows before 1.103.0 might allow a remote authenticated threat actor to execute shell commands with SYSTEM privileges on the underlying host via a specially crafted username field in an ECS task definition. This issue requires permissions to register ECS task definitions or write to the Secrets Manager or SSM Parameter Store credentials used by the FSx volume configuration.

To remediate this issue, users should upgrade to version 1.103.0.

Impacted versions: Version 1.47.0 through 1.102.2 of the ECS Agent for Windows

Patches

This issue only impacts ECS Windows worker instances. ECS on Fargate is not affected. This issue has been addressed in ECS agent version 1.103.0. Amazon ECS recommends upgrading to the latest Amazon ECS-optimized Windows AMI with an updated ECS agent version.

Workarounds

Customers who cannot update to the latest AMI can restrict ecs:RegisterTaskDefinition permissions to trusted IAM principals only and restrict write access to Secrets Manager secrets referenced in FSx volume configurations.

References

If you have any questions or comments about this advisory, Amazon ECS asks that users contact [AWS/Amazon] Security via vulnerability reporting page or directly via email to [email protected]. Please do not create a public GitHub issue.

Acknowledgement

Amazon ECS would like to thank Sachin Patil for collaborating on this issue through the coordinated vulnerability disclosure process.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. GHSA-fc67-c4hg-q6532. GCVE-GHSA-fc67-c4hg-q653

References

1. https://github.com/aws/amazon-ecs-agent/security/advisories/GHSA-fc67-c4hg-q653

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.

FLAT-K9XIG – Vulnerability | Fluid Attacks Database