Cybersecurity researchers have revealed details of the lack of security at Amazon EC2 Simple Systems Manager (SSM), which, if used successfully, can allow the attacker to reach the escalation and the code.
Vulnerability can allow the attacker to create catalogs in unintentional places in the file system, perform arbitrary scenarios with root privileges and probably – Note In a report that shared with Hacker News.
Amazon SSM Agent is a component of Amazon Web Services (AWS), which allows administrators to manage, customize and perform commands on EC2 instances and local servers.
The software processes commands and tasks defined in SSM documentswhich may include one or more plugins, each responsible for performing certain tasks, such as launching shell scripts or automation activities related to deployment or configuration.
Moreover, the SSM agent dynamically creates directory and files based on plugins, usually based on the plugins within the directory structure. It also introduces the risk of safety that the incorrect check of these plugins can lead to potential vulnerabilities.
Opening Cymulate is a lack of a path that occurs as a result of improper inspection of plugins, which can allow the attackers to manipulate the file system and execute an arbitrary code with high privileges. The problem is rooted in a feature called “check -in” in unlinutil.go.
“This feature does not allow you to properly care for the entry, which allows the attackers to supply malicious plugins containing the path sequences (such as ../),” said the security researcher Helad Bebert.
As a result of this deficiency, the attacker may essentially provide a specially created plugin identifier when creating a SSM document (for example ../../../../../../Malicious_directory) to execute arbitrary commands or scripts in the main file system, opening the method of escalation and other action.
After the responsible disclosure of information on February 12, 2025, the vulnerability was considered March 5, 2025, with the Amazon SSM agent’s exit Version 3.3.1957.0.
“Add and use the Buildsafepath method to prevent the path into the orchestration catalog,” said the notes that share the project’s support on GitHub.
