CVE-2024-37163
📋 TL;DR
SkyScrape version 1.0.0 transmits API requests over unsecured HTTP instead of HTTPS, exposing temporary AWS credentials and sensitive infrastructure data to interception. This affects all users running the vulnerable version, potentially compromising their AWS resources and usage data.
💻 Affected Systems
- SkyScrape
📦 What is this software?
Skyscraper by Opensourcelabs
⚠️ Risk & Real-World Impact
Worst Case
Attackers intercept AWS temporary credentials, gain full access to AWS infrastructure, deploy malicious resources, exfiltrate sensitive data, and incur substantial financial costs.
Likely Case
Credential theft leading to unauthorized access to AWS resources, data exposure, and potential resource manipulation in shared network environments.
If Mitigated
Limited exposure if deployed in isolated, trusted networks with strict network segmentation and monitoring.
🎯 Exploit Status
Exploitation requires network access to intercept unencrypted HTTP traffic, which is trivial with tools like Wireshark or network sniffers.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check GitHub advisory for updated version
Vendor Advisory: https://github.com/oslabs-beta/SkyScraper/security/advisories/GHSA-vfqg-qhm5-5m3j
Restart Required: Yes
Instructions:
1. Visit the GitHub advisory URL
2. Check for updated SkyScrape version
3. Update to the patched version
4. Restart the SkyScrape application
🔧 Temporary Workarounds
Force HTTPS via Reverse Proxy
allDeploy SkyScrape behind a reverse proxy (like nginx or Apache) configured to enforce HTTPS and terminate SSL/TLS.
# Example nginx config snippet:
server {
listen 443 ssl;
server_name your-domain.com;
ssl_certificate /path/to/cert.pem;
ssl_certificate_key /path/to/key.pem;
location / {
proxy_pass http://localhost:3000;
proxy_set_header Host $host;
}
}
Network Segmentation
linuxIsolate SkyScrape to a trusted, segmented network with strict firewall rules to prevent unauthorized access.
# Example iptables rule to restrict access:
iptables -A INPUT -p tcp --dport 3000 -s trusted_ip_range -j ACCEPT
iptables -A INPUT -p tcp --dport 3000 -j DROP
🧯 If You Can't Patch
- Immediately rotate all AWS temporary credentials used by SkyScrape
- Deploy SkyScrape in an isolated, air-gapped network with no external connectivity
🔍 How to Verify
Check if Vulnerable:
Inspect network traffic from SkyScrape using tools like Wireshark or tcpdump; look for HTTP (not HTTPS) requests to AWS endpoints.Check Version:
Check the SkyScrape application interface or configuration files for version information; typically displayed in the GUI or via package manager.Verify Fix Applied:
Confirm API requests are now using HTTPS by checking network traffic or reviewing application logs for secure connections.📡 Detection & Monitoring
Log Indicators:
- HTTP (not HTTPS) requests to AWS endpoints in application logs
- Failed SSL/TLS handshake attempts if misconfigured
Network Indicators:
- Unencrypted HTTP traffic to AWS API endpoints (e.g., *.amazonaws.com) on typical ports
- Suspicious outbound connections from SkyScrape host
SIEM Query:
source="SkyScrape" AND (protocol="HTTP" OR destination_port=80) AND destination_domain="*.amazonaws.com"