Cybersecurity researchers have disclosed a safety flaw impacting Amazon Internet Providers (AWS) Cloud Growth Equipment (CDK) that would have resulted in an account takeover below particular circumstances.
“The affect of this subject might, in sure eventualities, permit an attacker to achieve administrative entry to a goal AWS account, leading to a full account takeover,” Aqua stated in a report shared with The Hacker Information.
Following accountable disclosure on June 27, 2024, the problem was addressed by the venture maintainers in CDK model 2.149.0 launched in July.
AWS CDK is an open-source software program improvement framework for outlining cloud software assets utilizing Python, TypeScript, or JavaScript and provisioning them by way of CloudFormation.
The issue recognized by Aqua builds upon prior findings from the cloud safety agency about shadow assets in AWS, and the way predefined naming conventions for AWS Easy Storage Service (S3) buckets might be weaponized to orchestrate Bucket Monopoly assaults and acquire entry to delicate information.
Making ready an AWS atmosphere for utilization with the AWS Cloud Growth Equipment (AWS CDK) is achieved by a course of known as bootstrapping, whereby sure AWS assets are provisioned to the atmosphere. This contains an AWS S3 bucket, Amazon Elastic Container Registry (Amazon ECR) repository, and AWS Id and Entry Administration (IAM) roles.
“Assets and their configuration which are utilized by the CDK are outlined in an AWS CloudFormation template,” based on AWS documentation.
“To bootstrap an atmosphere, you employ the AWS CDK Command Line Interface (AWS CDK CLI) cdk bootstrap command. The CDK CLI retrieves the template and deploys it to AWS CloudFormation as a stack, often known as the bootstrap stack. By default, the stack identify is CDKToolkit.”
A number of the IAM roles created as a part of the bootstrapping course of grant permission to add and delete property from the related S3 bucket, in addition to carry out stack deployments with administrator entry.
Aqua stated the naming sample of the IAM roles created by AWS CDK follows the construction “cdk-{Qualifier}-{Description}-{Account-ID}-{Area},” the place every of the fields are defined under –
- Qualifier, a novel, nine-character string worth that defaults to “hnb659fds” though it may be custom-made throughout the bootstrapping section
- Description, useful resource description (e.g., cfn-exec-role)
- Account-ID, AWS account ID of the atmosphere
- Area, AWS area of the atmosphere
In an identical vein, the S3 bucket created throughout bootstrapping follows the naming sample “cdk-{Qualifier}-assets-{Account-ID}-{Area}.”
“Since many customers run the cdk bootstrap command with out customizing the qualifier, the S3 bucket naming sample of the staging bucket turns into predictable,” Aqua stated. “It is because the default worth for the bucket identify qualifier is ready to ‘hnb659fds,’ making it simpler to anticipate the bucket’s identify.”
With 1000’s of situations found on GitHub the place the default qualifier is used, this additionally signifies that guessing the bucket’s identify is so simple as discovering the AWS Account ID and the area to which the CDK is deployed.
Combining this side with the truth that S3 bucket names are globally distinctive throughout all AWS accounts, the loophole opens the door for what’s known as S3 Bucket Namesquatting (or Bucket Sniping), permitting an attacker to assert one other consumer’s CDK bucket if it would not exist already.
This might then pave the best way for a partial denial-of-service (DoS) when a consumer makes an attempt to bootstrap the CDK with the identical account ID and area, a state of affairs that might be resolved by specifying a customized qualifier throughout bootstrapping.
A extra severe consequence might happen if the sufferer’s CDK has permission to each learn and write information from and to the attacker-controlled S3 bucket, thereby making it doable to tamper with CloudFormation templates and execute malicious actions throughout the sufferer’s AWS account.
“The deploy position of the CloudFormation service, which is the position CloudFormationExecutionRole in CDK, has administrative privileges throughout the account by default,” Aqua identified.
“Which means any CloudFormation template written to the attacker’s S3 bucket by the sufferer’s CDK can be deployed later with administrative privileges within the sufferer’s account. This may permit the attacker to create privileged assets.”
In a hypothetical assault, ought to a consumer have initiated the CDK bootstrap course of up to now and subsequently deleted the S3 bucket attributable to quota limits, an adversary might make the most of the state of affairs to create a bucket with the identical identify.
This might then trigger the CDK to implicitly belief the rogue bucket and browse/write CloudFormation templates to it, making them vulnerable to exploitation. Nonetheless, for this to succeed, the attacker is predicted to fulfil the under conditions –
- Declare the bucket with the predictable identify and permit public entry
- Create a Lambda operate that may inject a malicious admin position or backdoor right into a given CloudFormation template file at any time when it is uploaded to the bucket
Within the last stage, when the consumer deploys the CDK utilizing “cdk deploy,” not solely does the method ship the template to the reproduction bucket, but additionally inject an admin position that the attacker can assume to finally acquire management of the sufferer’s account.
Put otherwise, the assault chain facilitates the creation of an admin position in a goal AWS account when a CDK S3 bucket arrange throughout the bootstrap course of is deleted and the CDK is used once more. AWS has since confirmed that roughly 1% of CDK customers have been susceptible to the assault vector.
The repair put in place by AWS ensures that property are solely uploaded to buckets throughout the consumer’s account in order to forestall the CDK from pushing information to buckets not owned by the account that launched the bootstrapping. It has additionally urged clients to make use of a bespoke qualifier as a substitute of the default “hnb659fds.”
In an announcement shared with The Hacker Information, AWS stated investigated and addressed all issues associated to unauthorized information publicity when finishing up CDK deployments.
“On July 12, 2024, AWS launched an replace to the AWS Cloud Growth Equipment (AWS CDK) CLI that carried out extra safety controls to mitigate the potential for information disclosure for patrons performing CDK deployments,” an AWS spokesperson instructed the publication.
“Clients utilizing the most recent model might want to carry out a one-time motion to improve their bootstrap assets. AWS has reached out to doubtlessly affected clients on to notify them of the necessity to improve, and has added extra checks to the CLI to remind customers to improve.”
That stated, consumer motion is required if bootstrapping was carried out utilizing CDK model v2.148.1 or earlier, necessitating that they replace the CDK to the most recent model and re-run the bootstrap command. Alternatively, customers have the choice of making use of an IAM coverage situation to the FilePublishingRole CDK position.
The findings as soon as once more name for maintaining AWS account IDs a secret, defining a scoped IAM coverage, and avoiding giving predictable names to S3 buckets.
“As a substitute, generate distinctive hashes or random identifiers per area and account, and incorporate them into your S3 bucket names,” Aqua concluded. “This technique helps shield towards attackers preemptively claiming your bucket.”
The disclosure comes as Broadcom-owned Symantec discovered a number of Android and iOS apps that hard-coded and unencrypted cloud service credentials for AWS and Microsoft Azure Blob Storage, placing consumer information in danger.
A number of the offending apps embody Pic Sew: Collage Maker, Crumbl, Eureka: Earn Cash for Surveys, Videoshop – Video Editor, Meru Cabs, Sulekha Enterprise, and ReSound Tinnitus Aid.
“This harmful observe signifies that anybody with entry to the app’s binary or supply code might doubtlessly extract these credentials and misuse them to control or exfiltrate information, resulting in extreme safety breaches,” safety researchers Yuanjing Guo and Tommy Dong stated.
(The story was up to date after publication to incorporate a response from AWS.)