The Yubikey CLI and AWS MFA
ACM.11 Considering the attack surface and MFA choices for our Security Batch Jobs
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
⚙️ Check out my series on Automating Cybersecurity Metrics. The Code.
🔒 Related Stories: AWS Security | IAM | MFA | Passwords
💻 Free Content on Jobs in Cybersecurity | ✉️ Sign up for the Email List
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
As I was writing what I thought would be my next post on creating an AWS KMS Key to protect a secret in secrets manager a few other things popped up that required investigation and explanation. I already wrote about KMS key architecture considerations:
Before I can create a KMS Key I need to create the identities that are allowed to use the key, so I can grant them access in my KMS Key policy. I was going to create an AWS User, but I was trying to remember why AWS SSO didn’t work for me the last time I tried this.
That’s when I discovered an AWS announcement from one day prior on AWS IAM Identity Center — the successor to AWS SSO. I wondered it something new would alter my planned architecture and user choice for execution of batch jobs. It didn’t. I wrote about that in my last post.
I’m going to be using a traditional IAM user for the reasons explained in that last blog post that rule out AWS SSO users in AWS Identity Center. I’m not using a role alone because you associate MFA with a role, only with a User. We’ll need to have a user initiate the process and require MFA to assume the role used by the batch job. Alternatively I could use GetSessionToken. I’ll explore those options in a later post.
Obtaining an MFA Token
To use MFA programmatically we will have to obtain a token to pass into our process to start our jobs. Before I create a user and configure MFA, I wanted to explain why I am not using a Yubikey for this purpose.
First, I noticed that this page on using states the following regarding the use of U2F security keys for API access:
You cannot use MFA-protected API access with U2F security keys.
However, it seems that with the latest versions of Yubikeys, you can programmatically obtain a token from a Yubikey as explained here:
I love Yubikeys. I recommended that the first thing every startup should do is get Yubikeys for the business owners and their staff:
I also recommend them as a phishing-resistant option for logging into the AWS Console. However, I don’t want use the method explained in the above blog post for the following reasons:
- I have to install the Yubico CLI on my local laptop to do that.
- I haven’t yet fully tested the Yubico CLI to fully understand its capabilities and the increase in attack surface.
- I am aware that someone with access to the CLI can change my Yubikey passcodes and configuration and want to explore that further.
By installing the Yubico CLI on my laptop, an attacker who somehow obtains access to my laptop can use the commands in that CLI to do whatever that CLI can do. Hopefully the attacker never gets access to my laptop but I’d just like to rule out the any possible attack paths until I investigate it further.
Attack Surface on a Phone With Virtual MFA
What about the attack surface of my phone and the ability to use that to obtain MFA codes? I use a separate phone for my authenticator app on which I don’t use to surf the web or install untrusted applications. Hopefully, since I don’t click or go to links on that phone my attack surface is reduced.
The one thing an attacker could do would be to try to trick me into entering an MFA token into a malicious application or website, but that same threat exists when using a Yubikey generated token. They could also try to steal my phone or trick someone into giving up my SIM card. I would notice that pretty quickly and use my access provided by an admin account and Yubikey to change settings as needed. The permissions granted to the user with permissions to assume a role used by a batch job will be limited to what the batch jobs require.
Potential attack scenario with the Yubico CLI on your laptop
Let’s say I have this software installed on my laptop and somehow an attacker gets access to run commands on my laptop. Somehow the malware figures out when I visit a webpage that requires MFA and I’m about to click a button to allow access via my Yubikey. Somehow that malware generates a programmatic request for a code just before I try to use my Yubikey for that web site and intercepts the code. I am sitting here thinking my key just didn’t work. I hit the button again and my request on the website goes through. I never knew that the attacker just got one of my MFA codes form my Yubikey.
Is that likely? Maybe not. But is it possible? Yes. Could a nation state attacker do something that crafty with enough time and money? What do you think? (The answer is yes.)
An even simpler option would be to get me to click on some link that somehow executes the command on my laptop via some form of malware.
I could probably think of more scenarios but I’m already sold on keeping it simple and keeping that attack vector off my laptop until I fully understand the implications. If I do use it, I’d probably install it on a separate administrative device, or I’d use different Yubikeys for different purposes. I already do both those things.
Reduced Attack Surface
Alternatively, let’s say that Yubico CLI doesn’t exist on my laptop and I rarely install anything on my laptop. I run everything I possibly can in the cloud. Hopefully I would notice if someone did try to install something because I monitor all network connections so there’s no software on my laptop that can facilitate a programmatic token request. In this latter scenario, the attacker’s command line attempts to get a token from my Yubikey would be in vain.
Of course, I can think of ways attackers could still try to get to a token and they could try to install malware that has those capabilities, but at least I’ve made it a bit harder.
About blindly trusting vendor software…
I did try out the Yubico software once to adjust some settings and store PGP keys and it ended up locking me out of my own encrypted documents. I must have done something wrong due to what happened to me there so I need to test it out a bit more before I rely on that functionality. Make sure you have a backup of your PGP key in a safe place like on a USB drive in a safe if you are going to try that out.
I also found a security issue on some Yubikey software deployed with Chocolatey on Windows. If I recall correctly it installed an outdated library that had a known CVE, but I can’t remember exactly.
Regardless of the vendor, I’m not going to blindly trust any software until I have a chance to review it and test it. If I’m not sure about a piece of software I typically run it in a locked down environment or and on a separate device where it won’t affect critical components of my security and I can monitor it.
I generally avoid installing anything on my laptop and run everything in a cloud VM to reduce the attack surface on my local machine. I can’t do that with the Yubico CLI since I have to push the button on a device connected to a local computer. I don’t even want to expose that functionality in the cloud if I could push a button on my laptop and have it send the token to the cloud. For now I’ll stick with a virtual MFA device to initiate batch jobs.
Follow for updates.
Teri Radichel | © 2nd Sight Lab 2022
About Teri Radichel:
~~~~~~~~~~~~~~~~~~~~
⭐️ Author: Cybersecurity Books
⭐️ Presentations: Presentations by Teri Radichel
⭐️ Recognition: SANS Award, AWS Security Hero, IANS Faculty
⭐️ Certifications: SANS ~ GSE 240
⭐️ Education: BA Business, Master of Software Engineering, Master of Infosec
⭐️ Company: Penetration Tests, Assessments, Phone Consulting ~ 2nd Sight LabNeed Help With Cybersecurity, Cloud, or Application Security?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
🔒 Request a penetration test or security assessment
🔒 Schedule a consulting call
🔒 Cybersecurity Speaker for PresentationFollow for more stories like this:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
❤️ Sign Up my Medium Email List
❤️ Twitter: @teriradichel
❤️ LinkedIn: https://www.linkedin.com/in/teriradichel
❤️ Mastodon: @teriradichel@infosec.exchange
❤️ Facebook: 2nd Sight Lab
❤️ YouTube: @2ndsightlab
