Lumigo SAR Measure Cold Start Privilege Escalation Vulnerability

A vulnerability in the Lumigo SAR Measure Cold Start application, specifically in versions through 1.4.1, allows for privilege escalation by exploiting insecure permissions. The issue arises from a function named 'Loop' that is created with excessive permissions, including 'lambda:UpdateFunctionConfiguration' for all resources. This permission can be abused to update the configurations of other Lambda functions, potentially leading to unauthorized access to temporary security credentials and allowing an attacker to compromise the customer's cloud account.

Impact

Exploitation of this vulnerability could lead to unauthorized privilege escalation, allowing an attacker to access and misuse temporary security credentials of AWS Lambda execution roles, and potentially take over the customer's cloud account.

Reproduction

To reproduce this vulnerability, deploy the 'measure-cold-start' application from the AWS Serverless Application Repository. Once deployed, a Lambda function named 'Loop' will be created with overly permissive policies. An attacker can then create a malicious Lambda Layer, make it publicly accessible, and use the 'lambda:UpdateFunctionConfiguration' permission to attach the layer to functions in the target account. This layer can be designed to steal temporary security credentials, which can then be used to escalate privileges and take over the cloud account.

Remediation

It is recommended to remove the 'lambda:UpdateFunctionConfiguration' permission or restrict it to specific resources, rather than using wildcards. Additionally, ensure that any Lambda Layers used are from within the same AWS account and not from third-party sources.