Cybersecurity researchers have disclosed a safety flaw impacting Amazon Internet Providers (AWS) Cloud Improvement Package (CDK) that might have resulted in an account takeover beneath particular circumstances.
“The affect of this difficulty might, in sure eventualities, enable an attacker to achieve administrative entry to a goal AWS account, leading to a full account takeover,” Aqua stated in a report shared with The Hacker Information.
Following accountable disclosure on June 27, 2024, the difficulty was addressed by the mission maintainers in CDK model 2.149.0 launched in July.
AWS CDK is an open-source software program growth framework for outlining cloud utility assets utilizing Python, TypeScript, or JavaScript and provisioning them by way of CloudFormation.
The issue recognized by Aqua builds upon prior findings from the cloud safety agency about shadow assets in AWS, and the way predefined naming conventions for AWS Easy Storage Service (S3) buckets may very well be weaponized to orchestrate Bucket Monopoly assaults and acquire entry to delicate information.
Getting ready an AWS surroundings for utilization with the AWS Cloud Improvement Package (AWS CDK) is completed by a course of known as bootstrapping, whereby sure AWS assets are provisioned to the surroundings. This consists of an AWS S3 bucket, Amazon Elastic Container Registry (Amazon ECR) repository, and AWS Identification and Entry Administration (IAM) roles.
“Assets and their configuration which might be utilized by the CDK are outlined in an AWS CloudFormation template,” in keeping with AWS documentation.
“To bootstrap an surroundings, you employ the AWS CDK Command Line Interface (AWS CDK CLI) cdk bootstrap command. The CDK CLI retrieves the template and deploys it to AWS CloudFormation as a stack, referred to as the bootstrap stack. By default, the stack title is CDKToolkit.”
A number of the IAM roles created as a part of the bootstrapping course of grant permission to add and delete property from the related S3 bucket, in addition to carry out stack deployments with administrator entry.
Aqua stated the naming sample of the IAM roles created by AWS CDK follows the construction “cdk-{Qualifier}-{Description}-{Account-ID}-{Area},” the place every of the fields are defined beneath –
- Qualifier, a singular, nine-character string worth that defaults to “hnb659fds” though it may be personalized throughout the bootstrapping section
- Description, useful resource description (e.g., cfn-exec-role)
- Account-ID, AWS account ID of the surroundings
- Area, AWS area of the surroundings
In the same vein, the S3 bucket created throughout bootstrapping follows the naming sample “cdk-{Qualifier}-assets-{Account-ID}-{Area}.”
“Since many customers run the cdk bootstrap command with out customizing the qualifier, the S3 bucket naming sample of the staging bucket turns into predictable,” Aqua stated. “It is because the default worth for the bucket title qualifier is ready to ‘hnb659fds,’ making it simpler to anticipate the bucket’s title.”
With hundreds of situations found on GitHub the place the default qualifier is used, this additionally signifies that guessing the bucket’s title is so simple as discovering the AWS Account ID and the area to which the CDK is deployed.
Combining this side with the truth that S3 bucket names are globally distinctive throughout all AWS accounts, the loophole opens the door for what’s known as S3 Bucket Namesquatting (or Bucket Sniping), permitting an attacker to say one other person’s CDK bucket if it would not exist already.
This might then pave the way in which for a partial denial-of-service (DoS) when a person makes an attempt to bootstrap the CDK with the identical account ID and area, a state of affairs that may very well be resolved by specifying a customized qualifier throughout bootstrapping.
A extra severe consequence might happen if the sufferer’s CDK has permission to each learn and write information from and to the attacker-controlled S3 bucket, thereby making it doable to tamper with CloudFormation templates and execute malicious actions throughout the sufferer’s AWS account.
“The deploy function of the CloudFormation service, which is the function CloudFormationExecutionRole in CDK, has administrative privileges throughout the account by default,” Aqua identified.
“Because of this any CloudFormation template written to the attacker’s S3 bucket by the sufferer’s CDK can be deployed later with administrative privileges within the sufferer’s account. This might enable the attacker to create privileged assets.”
In a hypothetical assault, ought to a person have initiated the CDK bootstrap course of prior to now and subsequently deleted the S3 bucket because of quota limits, an adversary might benefit from the state of affairs to create a bucket with the identical title.
This might then trigger the CDK to implicitly belief the rogue bucket and skim/write CloudFormation templates to it, making them inclined to exploitation. Nonetheless, for this to succeed, the attacker is anticipated to fulfil the beneath conditions –
Declare the bucket with the predictable title and permit public entry
Create a Lambda perform that may inject a malicious admin function or backdoor right into a given CloudFormation template file at any time when it is uploaded to the bucket
Within the closing stage, when the person deploys the CDK utilizing “cdk deploy,” not solely does the method ship the template to the duplicate bucket, but additionally inject an admin function that the attacker can assume to in the end acquire management of the sufferer’s account.
Put in a different way, the assault chain facilitates the creation of an admin function in a goal AWS account when a CDK S3 bucket arrange throughout the bootstrap course of is deleted and the CDK is used once more. AWS has since confirmed that roughly 1% of CDK customers have been susceptible to the assault vector.
The repair put in place by AWS ensures that property are solely uploaded to buckets throughout the person’s account in order to stop the CDK from pushing information to buckets not owned by the account that launched the bootstrapping. It has additionally urged prospects to make use of a bespoke qualifier as a substitute of the default “hnb659fds.”
That stated, person motion is required if bootstrapping was carried out utilizing CDK model v2.148.1 or earlier, necessitating that they replace the CDK to the newest model and re-run the bootstrap command. Alternatively, customers have the choice of making use of an IAM coverage situation to the FilePublishingRole CDK function.
The findings as soon as once more name for conserving AWS account IDs a secret, defining a scoped IAM coverage, and avoiding giving predictable names to S3 buckets.
“As an alternative, generate distinctive hashes or random identifiers per area and account, and incorporate them into your S3 bucket names,” Aqua concluded. “This technique helps shield towards attackers preemptively claiming your bucket.”
The disclosure comes as Broadcom-owned Symantec discovered a number of Android and iOS apps that hard-coded and unencrypted cloud service credentials for AWS and Microsoft Azure Blob Storage, placing person information in danger.
A number of the offending apps embody Pic Sew: Collage Maker, Crumbl, Eureka: Earn Cash for Surveys, Videoshop – Video Editor, Meru Cabs, Sulekha Enterprise, and ReSound Tinnitus Reduction.
“This harmful observe signifies that anybody with entry to the app’s binary or supply code might doubtlessly extract these credentials and misuse them to control or exfiltrate information, resulting in extreme safety breaches,” safety researchers Yuanjing Guo and Tommy Dong stated.
