skout-blog

Cybersecurity Threat Advisory 0063-21: AWS Workspaces Remote Code Execution

Threat Update

Rhino Security Labs has discovered a vulnerability in the AWS WorkSpaces desktop client, tracked as CVE-2021-38112, which allows commands to be executed if a victim opens a malicious WorkSpaces URI from their browser. Since the report’s release, Amazon has promptly patched the vulnerability. AWS WorkSpaces desktop client versions prior to 3.1.9 are affected by the vulnerability.

Technical Detail & Additional Information

WHAT IS THE THREAT?

A custom URI is used when WorkSpaces is installed on a Windows machine (workspaces://). This allows WorkSpaces to be launched by visiting the custom URI in your browser. During the handling of the URI, the WorkSpaces application fails to sanitize the parameters which are later passed to the command line when authenticating to the WorkSpace. This allows arguments to be injected into the command line which abuses a known debugging CEF command line argument (–gpu-launcher), allowing arbitrary commands to be executed.

WHY IS IT NOTEWORTHY?

This AWS WorkSpaces vulnerability allows remote code execution to occur on the operating system of the installed WorkSpace client. This vulnerability could also allow an attacker to potentially pivot into an AWS WorkSpaces host by configuring proxy settings in the WorkSpaces client itself or keylogging usernames and passwords when a victim legitimately accesses their WorkSpaces environment.

WHAT IS THE EXPOSURE OR RISK?

AWS WorkSpaces is a widely used virtualization service that is highly scalable. Furthermore, AWS WorkSpaces offers several ways to access the service, one of which is a desktop client allowing you to connect directly to your WorkSpace.

WHAT ARE THE RECOMMENDATIONS?

Barracuda MSP recommends immediately updateing AWS Workspaces to version 3.19 or higher where the vulnerability is patched.

REFERENCES

For more in-depth information about the recommendations, please visit the following links:

If you have any questions, please contact our Security Operations Center.