AWS Library Flaw Allows Certificate Bypass
A new vulnerability in Amazon’s AWS-LC cryptographic library could allow attackers to bypass TLS certificate chain verification. The flaw poses a risk of man-in-the-middle attacks for cloud workloads. Teams on AWS are advised to check their dependencies and apply security updates immediately.
The primary vulnerability, tracked as CVE-2026-3336, stems from improper certificate validation within the `PKCS7_verify()` function of AWS-LC. Specifically, when processing PKCS7 objects with multiple signers, the function fails to correctly validate the entire certificate chain, checking only the final signer. This oversight allows an unauthenticated attacker to potentially use an unverified certificate to appear as a trusted entity. This certificate bypass flaw was discovered and reported by the AISLE Research Team through a coordinated vulnerability disclosure process with Amazon. During their analysis, they uncovered a total of eight issues in AWS-LC and five in s2n-tls, Amazon's TLS/SSL protocol implementation. This investigation also led Amazon to identify and fix a related signature validation bypass vulnerability, CVE-2026-3338. Alongside the certificate and signature bypass flaws, a third vulnerability, CVE-2026-3337, was disclosed—a timing side-channel weakness in the AES-CCM tag verification. By analyzing minute variations in decryption processing time, an attacker could potentially determine if an authentication tag is valid, compromising the integrity of the encryption. AWS-LC is an open-source cryptographic library based on code from Google's BoringSSL and the OpenSSL project. It serves as a foundational component for many AWS services and third-party integrations, providing FIPS 140-3 validated cryptography. This makes the vulnerabilities particularly noteworthy, as the library is designed to be a high-security, performance-optimized crypto implementation for both cloud services and open-source projects. The affected versions for the certificate bypass flaw (CVE-2026-3336) include AWS-LC versions from v1.41.0 up to v1.68.x and the corresponding `aws-lc-sys` Rust crate versions from v0.24.0 to v0.37.x. Amazon has addressed the vulnerabilities in AWS-LC v1.69.0 and aws-lc-sys v0.38.0. There are no known workarounds for the certificate or signature bypass vulnerabilities, making the security update the only remediation. The Rustls TLS library, a popular memory-safe alternative to OpenSSL, recently adopted AWS-LC as its default cryptography provider, partly due to its FIPS support. This highlights the library's growing adoption within the developer ecosystem, extending the potential impact of these vulnerabilities beyond the immediate AWS cloud infrastructure and into the broader open-source software supply chain.
