Cybersecurity researchers at Wiz Research managed to gain admin access to key AWS GitHub repositories. The disclosed critical bug could've had massive repercussions, potentially threatening “The AWS Console itself” and every AWS account.
CodeBuild, an AWS cloud system that compiles code into software, was affected by a critical vulnerability so severe that attackers could have injected malicious code to launch a platform-wide compromise, according to the new Wiz report detailing the bug.
“As administrators, we could now push code directly to the main branch, approve any pull request, and exfiltrate repository secrets.”
The researchers dubbed the vulnerability “CodeBreach.” It enabled unauthenticated attackers to leak privileged credentials.
“By exploiting CodeBreach, attackers could have injected malicious code to launch a platform-wide compromise, potentially affecting not just the countless applications depending on the SDK, but the Console itself, threatening every AWS account,” the report reads.
The tech giant has already investigated the issue and remediated all reported concerns.
“A security research team identified a configuration issue affecting the following AWS-managed open source GitHub repositories that could have resulted in the introduction of inappropriate code,” the AWS security bulletin reads.
However, this discovery serves as a wake-up call. Automated code build systems, handling untrusted data from external contributors, are very complex and prone to misconfigurations, and are highly privileged.
This combination creates “a perfect storm for high-impact breaches that require no prior access,” Wiz warns.
How did the researchers get in?
Just a subtle misconfiguration could’ve led to a disproportionately impactful compromise.
Wiz researchers studied how various AWS repositories decide which GitHub users are trusted as maintainers.
They noticed that CodeBuild did not filter for the exact match of a GitHub user ID. For example, if an approved maintainer had an ID of “12345,” someone else with an ID of “0123456” would still be able to pass the regex filter, as it contains the required string.
“This meant that any GitHub user ID that is a superstring of an approved ID could bypass the filter,” the researchers explained.
“Just two missing characters in a Regex filter allowed unauthenticated attackers to infiltrate the build environment.”
GitHub assigns sequential numeric IDs. AWS maintainers had older GitHub user IDs, with fewer digits than the current IDs.
So, the researchers created hundreds of bot accounts on GitHub until one of the IDs matched the trusted-user pattern.
Now, the external researchers were trusted. Pretending to be maintainers, they submitted a pull request adding an additional “malicious” NPM package dependency designed to extract GitHub credentials.
“Moments later, we had successfully obtained the GitHub credentials of the aws-sdk-js-v3 CodeBuild project.”
Aws-sdk-js-v3 is the AWS JavaScript SDK (software development kit) repository, a core library that powers the AWS Console.
The obtained access token belonged to an automation user with full admin privileges over the repository. The Wiz researchers had complete control over the repository.
“This level of control provided a clear path for supply chain attacks. The JavaScript SDK is released on a weekly basis to GitHub and then to NPM. Abusing this frequent release schedule, attackers could have injected malicious payloads right before a release was published, compromising it,” the report reads.
A similar attack method had already been successfully executed just a month prior: hackers infected downstream users of the Amazon Q VS Code extension.
AWS confirmed that “a predictably acquired actor ID” could’ve been used to gain administrative permissions for the affected repositories.
“The researchers carefully demonstrated access to commit inappropriate code to one repository and promptly informed AWS Security of their research activity and its potential negative impact,” AWS said.
“We would like to thank Wiz Security’s research team for their work in identifying this issue and their responsible collaboration.”
The JavaScript SDK is used by roughly 66% cloud environments, and any supply chain compromise could’ve been devastating, compromising countless applications.
But attackers exploiting the vulnerability could’ve gone even further and gained admin privileges over several other highly sensitive repositories.
AWS implemented additional mitigations, including credential rotations and further protections of build processes that contain GitHub tokens or any other credentials in memory.
AWS also audited all its open-source GitHub repositories to ensure no such misconfigurations exist across the entirety of AWS open-source projects. No indications of any threat actor taking advantage of the CodeBreach vulnerability were detected.
Unlock exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked