SentinelLabs claims responsibility for finding a severe vulnerability in multiple cloud services, including popular services from AWS. As the threats have since been patched, the researcher goes public with a technical report.

SentinelLabs is an extension of SentinelOne. Year-round, the organization searches and finds vulnerabilities in commonly used technology. Findings are initially shared with the vendor or developer of a vulnerable service or product. Only after a patch is applied, SentinelLabs communicates openly about an incident. A necessary precaution to prevent abuse during the vulnerable phase.

Earlier this year, SentinelLabs found a vulnerability in Eltima SDK. Multiple vendors, including Amazon (AWS), incorporate the library into their products and cloud services. Millions of users come into contact with Eltima SDK worldwide. Their organizations were at risk for months.

The method

One of the tools in Eltima SDK allows the data of a local USB device to be forwarded to a remote endpoint, thereby driving its functionality. A practical example of such an endpoint is a virtual machine in AWS WorkSpaces. WorkSpaces is among the services that offer Eltima SDK to its users. SentinelLabs found vulnerabilities in the drivers that Eltima SDK uses to redirect USB data. The organization created an overflow to execute code in the kernel of an operating system.

The consequence

SentinelLabs used different methods for the various solutions found to be vulnerable, including Amazon AppStream, NoMachine for Windows, Accops HyWorks for Windows, FlexiHub and Donglify. The risk was the same for each solution. Code could potentially be executed on the kernel of the operating system with which Eltima SDK was used. For example, to escalate user privileges.

Accops responded to the news with a FAQ page for concerned users. NoMachine addressed the issue as well. Every vendor, including FlexiHub and Donglify, patched the software automatically. Because users of AWS WorkSpaces have the option to turn off automatic maintenance, SentinelLabs advises them to update the client manually.

Tip: SentinelOne exposes vulnerabilities in Oracle VirtualBox