{"id":4315,"date":"2025-08-08T12:32:51","date_gmt":"2025-08-08T12:32:51","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=4315"},"modified":"2025-08-08T12:32:51","modified_gmt":"2025-08-08T12:32:51","slug":"ecscape-new-aws-ecs-flaw-lets-containers-hijack-iam-roles-without-breaking-out","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=4315","title":{"rendered":"ECScape: New AWS ECS flaw lets containers hijack IAM roles without breaking out"},"content":{"rendered":"<div>\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<div class=\"container\"><\/div>\n<p>At <a href=\"https:\/\/www.csoonline.com\/article\/3482049\/black-hat-latest-news-and-insights.html\">Black Hat<\/a> USA 2025, Sweet Security\u2019s Naor Haziz revealed a significant privilege escalation flaw in Amazon ECS that allows a low-privilege container running on an EC2-backed task to hijack higher-privileged IAM roles from other containers on the same host.<\/p>\n<p>Dubbed ECScape, the flaw stems from ECS\u2019 internal credential distribution. The ECS control plane delivers task IAM credentials via an undocumented internal WebSocket protocol, Agent Communication Service (ACS), which a container attacker can tap into if they first obtain the EC2 instance role credentials from Instance Metadata Service (IMDS).<\/p>\n<p>\u201cIn practice, this means a compromised app in your ECS cluster could assume the role of a more privileged task by stealing its credentials \u2013 as long as they are running on the same instance,\u201d Haziz said in a <a href=\"https:\/\/www.sweet.security\/blog\/hijacking-privileges-in-the-cloud-breaking-role-boundaries-in-amazon-ecs\" target=\"_blank\" rel=\"noopener\">blog post<\/a>, adding that the flaw also exposes task execution roles which, when compromised, can be abused to extract secrets or artifacts.<\/p>\n<p>Haziz originally set out to build an eBPF-based real-time monitoring tool for ECS workloads. While doing so, he intercepted communication between the ECS agent and AWS backend as part of his debugging process, which is when he noticed the undocumented WebSocket channel.<\/p>\n<h2 class=\"wp-block-heading\">From lowly tasks to privileged IAM roles<\/h2>\n<p>Thanks to the default availability of <a href=\"https:\/\/www.csoonline.com\/article\/3959148\/hackers-attempted-to-steal-aws-credentials-using-ssrf-flaws-within-hosted-sites.html\">IMDS<\/a>, any container (with low-level access) on an EC2-based ECS instance can read the instance role credentials intended for the ECS agent.<\/p>\n<p>\u201cNo container breakout (no hostroot access) was required \u2013 however IMDS access was required via clever network and system trickery from within the container\u2019s own namespace,\u201d Haziz noted, adding that accessing IMDS lets any container impersonate an ECS agent. AWS has <a href=\"https:\/\/docs.aws.amazon.com\/AWSEC2\/latest\/UserGuide\/configuring-instance-metadata-options.html\" target=\"_blank\" rel=\"noopener\">documentation<\/a> on how to prevent or limit access to IMDS.<\/p>\n<p>Armed with those instance role credentials, the attacker can forge communication over the ACS WebSocket. This allows them to intercept or request <a href=\"https:\/\/www.csoonline.com\/article\/518296\/what-is-iam-identity-and-access-management-explained.html\">IAM<\/a> credentials of other running tasks, even if those tasks are supposed to be isolated by IAM roles. Essentially, the compromised container escalates by masquerading as the orchestrator ECS agent responsible for managing and orchestrating tasks.<\/p>\n<p>\u201cThe stolen keys (IAM credentials) work exactly like the real task\u2019s keys,\u201d Haziz said. \u201cAWS CloudTrail will attribute API calls to the victim task\u2019s role, so initial detection is tough \u2013 it appears as if the victim task is performing the actions.\u201d This lets attackers be invisible in the logs because AWS thinks the victim is doing everything.<\/p>\n<h2 class=\"wp-block-heading\"><a><\/a>Fargate is comparatively safe<\/h2>\n<p>Amazon\u2019s design makes the EC2 host, not the container, the security boundary. When multiple tasks with varying IAM roles share the same EC2, the risk of lateral escalation via ECScape increases. AWS did not immediately respond to CSO\u2019s request for comment.<\/p>\n<p>Sweet Security has recommended mitigations that include disabling or restricting IMDS access from less-trusted tasks so they can\u2019t obtain instance credentials, avoiding co-hosting low and high-privilege tasks on the same<a href=\"https:\/\/www.csoonline.com\/article\/3825098\/whoami-name-confusion-attacks-can-hack-into-aws-accounts-for-code-execution.html\"> EC2 instance<\/a>, and switching to <a href=\"https:\/\/aws.amazon.com\/fargate\/\" target=\"_blank\" rel=\"noopener\">AWS Fargate<\/a>, which provides better task isolation.<\/p>\n<p>\u201cAWS Fargate tasks don\u2019t share an underlying host with other tasks \u2013 each Fargate task runs in its own micro VM with its own isolated IMDS and ECS agent,\u201d Haziz explained. \u201cECScape does not apply to Fargate because there is no co-tenancy of the instance.\u201d<\/p>\n<p>A CVE ID has been requested for ECScape, and Sweet Security has published a <a href=\"https:\/\/github.com\/naorhaziz\/ecscape\" target=\"_blank\" rel=\"noopener\">proof-of-concept (PoC)<\/a> code for the vulnerability on GitHub. Haziz also shared <a href=\"https:\/\/naorhaziz.com\/assets\/video\/ecscape\/demo.mp4\" target=\"_blank\" rel=\"noopener\">a live demo<\/a> of ECScape, adding that unmitigated instances require no misconfigurations on the user\u2019s part. \u201cAll the default behaviors and settings of ECS on EC2 are enough for the attack to work,\u201d he added.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>At Black Hat USA 2025, Sweet Security\u2019s Naor Haziz revealed a significant privilege escalation flaw in Amazon ECS that allows a low-privilege container running on an EC2-backed task to hijack higher-privileged IAM roles from other containers on the same host. Dubbed ECScape, the flaw stems from ECS\u2019 internal credential distribution. The ECS control plane delivers [&hellip;]<\/p>\n","protected":false},"author":0,"featured_media":4311,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-4315","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/4315"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=4315"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/4315\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/4311"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=4315"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=4315"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=4315"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}