Amazon ECS Agent Command Injection Vulnerability in FSx Windows File Server Volume Mounting

A command injection vulnerability has been identified in the Amazon ECS Agent on Windows, affecting versions 1.47.0 through 1.102.2. This vulnerability arises from improper handling of inputs in the FSx Windows File Server volume mounting component. A remote authenticated attacker could exploit this issue to execute shell commands with SYSTEM privileges on the underlying host. The exploitation involves crafting a specific username field in an ECS task definition. This vulnerability requires permissions to register ECS task definitions or to write to the Secrets Manager or SSM Parameter Store credentials used in the FSx volume configuration.

Impact

Exploitation of this vulnerability allows for unauthorized command execution with SYSTEM privileges on the host machine.

Remediation

Users should upgrade to Amazon ECS Agent version 1.103.0. Instructions for upgrading to the latest Amazon ECS-optimized Windows AMI are available in the Amazon ECS documentation. For those unable to update, it is recommended to restrict ecs:RegisterTaskDefinition permissions to trusted IAM principals and limit write access to Secrets Manager secrets referenced in FSx volume configurations.