ExAws.SNS Improper Certificate Validation Vulnerability Allowing Signature Spoofing

A vulnerability in the ExAws.SNS and ExAws.SNS.PublicKeyCache modules of the ex_aws_sns package, versions 2.0.1 prior to 2.3.5, allows for signature spoofing due to improper validation of certificate URLs. The issue arises because the 'verify_message/1' function retrieves the signing certificate from the 'SigningCertURL' field of incoming SNS messages without ensuring that the URL is HTTPS or that it belongs to an AWS-owned domain. This flaw enables an unauthenticated attacker to post to an endpoint that invokes 'verify_message/1', supply a malicious 'SigningCertURL', and sign a forged SNS message, bypassing the signature verification process entirely.

Impact

Exploitation of this vulnerability allows for complete bypass of SNS signature verification, enabling attackers to spoof SNS messages and hijack subscription deliveries by auto-confirming their own 'SubscribeURL' values.

Reproduction

To reproduce this vulnerability, an attacker must send a POST request to an endpoint that processes SNS messages. The request must include a forged SNS message with a 'SigningCertURL' that points to an attacker-controlled certificate. The message should be signed with a private key corresponding to a public key that the application will accept as valid, thereby exploiting the lack of proper URL validation to bypass signature verification.

Remediation

Users can update to ex_aws_sns version 2.3.5 or later, where this vulnerability has been patched.