Comment 20 for bug 1824248

Jeremy Stanley (fungi) wrote :

So admin-added rules appear in the the Launch Instance modal, just not the normal Manage Security Groups view? If so, then coupling this with the fact that it relies on a malicious service admin to actually pull off any attack of this sort, I think we should be able to continue the discussion in public. I also lean toward categorizing this as a security hardening opportunity rather than a vulnerability in need of an advisory as it's at best only partly capable of hiding any "backdoor" network access rules.