Cybersecurity researchers have identified a significant vulnerability in Amazon Elastic Container Service (ECS) that could enable attackers to execute an “end-to-end privilege escalation chain” within cloud environments. The exploit, dubbed ECScape, was revealed by Naor Haziz from Sweet Security during a presentation at the Black Hat USA security conference held in Las Vegas.
The ECScape technique exploits an undocumented ECS internal protocol, allowing attackers to access sensitive data and seize control of the cloud environment. Haziz noted, “We identified a way to abuse an undocumented ECS internal protocol to grab AWS credentials belonging to other ECS tasks on the same EC2 instance.” This means that a malicious container with a low-privileged Identity and Access Management (IAM) role can hijack the permissions of a higher-privileged container.
This vulnerability could lead to serious consequences for organizations using ECS tasks on shared EC2 hosts, exposing them to cross-task privilege escalation and metadata exfiltration. According to Haziz, by leveraging this attack method, compromised containers can obtain credentials for all running tasks on the same EC2 instance, collapsing the trust model within those environments.
Amazon has encouraged organizations to adopt stronger isolation models and has clarified in its documentation that there is no task isolation in EC2, which allows containers to access credentials for other tasks. As a precaution, experts recommend avoiding deploying high-privilege tasks alongside untrusted tasks, utilizing AWS Fargate for better isolation, and regularly reviewing IAM role permissions.