OpenSecOps-Org
Security Update: Installer v2.7.0 — SCP Privilege Escalation Hardening #25
PeterBengtson
announced in
Announcements
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
OpenSecOps Installer v2.7.0 addresses privilege escalation vulnerabilities in the Service Control Policy (SCP) layer that enforces IAM permissions boundary integrity. Update strongly recommended for all installations.
What was affected
The SCPs
require-boundary-permissions.jsonandprotect-foundations.jsoncontained gaps that could allow a user with an SSO role—particularly DeveloperAccess—to bypass permissions boundary enforcement and escalate privileges. Exploitation required deliberate, multi-step action by an authenticated insider; no external attack surface was exposed.All installations running Installer v2.6.0 or earlier are affected. v2.6.1 addressed one of the vectors; v2.7.0 completes the hardening.
What was fixed
require-boundary-permissions.jsonprotect-foundations.jsonAffected versions
Action required
Copy the following files from
apps.example/toapps/and redeploy your SCPs:foundation/SCPs/require-boundary-permissions.jsonfoundation/SCPs/protect-foundations.jsonNo other configuration changes are needed. The fixes do not affect any legitimate workflow—all standard developer, network administrator, and security administrator operations continue to work exactly as before.
Deployment: Copy the two updated SCP files and redeploy using standard procedures. Verify the updated SCPs are active in your AWS Organizations console.
Beta Was this translation helpful? Give feedback.
All reactions