Amazon ECS Agent Introspection Server Off-Host Access Vulnerability

A vulnerability in the Amazon ECS agent allows an introspection server to be accessed off-host by another instance under certain conditions. This issue arises if the instances are in the same security group or if their security groups permit incoming connections to the introspection server port (51678). The vulnerability affects ECS agent versions 0.0.3 prior to 1.97.0. However, instances where off-host access to the introspection server is disabled are not affected.

Impact

Exploitation of this vulnerability could lead to unauthorized off-host access to the introspection server, allowing another instance to retrieve information about the ECS agent's state and the container instances.

Remediation

Users are advised to upgrade to Amazon ECS agent version 1.97.1. For those unable to update to the latest AMI, it is recommended to modify the Amazon EC2 security groups to restrict incoming access to the introspection server port (51678).