Cybersecurity researchers have disclosed a security flaw impacting Amazon Internet Companies (AWS) Cloud Improvement Package (CDK) that would have resulted in an account takeover underneath particular circumstances.
“The influence of this difficulty might, in sure situations, enable an attacker to achieve administrative entry to a goal AWS account, leading to a full account takeover,” Aqua stated in a report shared with The Hacker Information.
Following accountable disclosure on June 27, 2024, the problem was addressed by the undertaking maintainers in CDK model 2.149.0 launched in July.
AWS CDK is an open-source software program improvement framework for outlining cloud utility sources utilizing Python, TypeScript, or JavaScript and provisioning them by way of CloudFormation.
The issue recognized by Aqua builds upon prior findings from the cloud security agency about shadow sources in AWS, and the way predefined naming conventions for AWS Easy Storage Service (S3) buckets may very well be weaponized to orchestrate Bucket Monopoly assaults and achieve entry to delicate knowledge.
Getting ready an AWS setting for utilization with the AWS Cloud Improvement Package (AWS CDK) is completed by a course of known as bootstrapping, whereby sure AWS sources are provisioned to the setting. This contains an AWS S3 bucket, Amazon Elastic Container Registry (Amazon ECR) repository, and AWS Id and Entry Administration (IAM) roles.
“Assets and their configuration which can be utilized by the CDK are outlined in an AWS CloudFormation template,” in line with AWS documentation.
“To bootstrap an setting, you employ the AWS CDK Command Line Interface (AWS CDK CLI) cdk bootstrap command. The CDK CLI retrieves the template and deploys it to AWS CloudFormation as a stack, often known as the bootstrap stack. By default, the stack title is CDKToolkit.”
Among the IAM roles created as a part of the bootstrapping course of grant permission to add and delete belongings from the related S3 bucket, in addition to carry out stack deployments with administrator entry.
Aqua stated the naming sample of the IAM roles created by AWS CDK follows the construction “cdk-{Qualifier}-{Description}-{Account-ID}-{Area},” the place every of the fields are defined beneath –
- Qualifier, a novel, nine-character string worth that defaults to “hnb659fds” though it may be custom-made throughout the bootstrapping section
- Description, useful resource description (e.g., cfn-exec-role)
- Account-ID, AWS account ID of the setting
- Area, AWS area of the setting
In the same vein, the S3 bucket created throughout bootstrapping follows the naming sample “cdk-{Qualifier}-assets-{Account-ID}-{Area}.”
“Since many customers run the cdk bootstrap command with out customizing the qualifier, the S3 bucket naming sample of the staging bucket turns into predictable,” Aqua stated. “It is because the default worth for the bucket title qualifier is ready to ‘hnb659fds,’ making it simpler to anticipate the bucket’s title.”
With hundreds of situations found on GitHub the place the default qualifier is used, this additionally implies that guessing the bucket’s title is so simple as discovering the AWS Account ID and the area to which the CDK is deployed.
Combining this side with the truth that S3 bucket names are globally distinctive throughout all AWS accounts, the loophole opens the door for what’s known as S3 Bucket Namesquatting (or Bucket Sniping), permitting an attacker to say one other consumer’s CDK bucket if it would not exist already.
This might then pave the best way for a partial denial-of-service (DoS) when a consumer makes an attempt to bootstrap the CDK with the identical account ID and area, a situation that may very well be resolved by specifying a customized qualifier throughout bootstrapping.
A extra severe consequence might happen if the sufferer’s CDK has permission to each learn and write knowledge from and to the attacker-controlled S3 bucket, thereby making it doable to tamper with CloudFormation templates and execute malicious actions throughout the sufferer’s AWS account.
“The deploy position of the CloudFormation service, which is the position CloudFormationExecutionRole in CDK, has administrative privileges throughout the account by default,” Aqua identified.
“Which means that any CloudFormation template written to the attacker’s S3 bucket by the sufferer’s CDK could be deployed later with administrative privileges within the sufferer’s account. This might enable the attacker to create privileged sources.”
In a hypothetical assault, ought to a consumer have initiated the CDK bootstrap course of previously and subsequently deleted the S3 bucket on account of quota limits, an adversary might make the most of the state of affairs to create a bucket with the identical title.
This might then trigger the CDK to implicitly belief the rogue bucket and skim/write CloudFormation templates to it, making them inclined to exploitation. Nevertheless, for this to succeed, the attacker is predicted to fulfil the beneath conditions –
- Declare the bucket with the predictable title and permit public entry
- Create a Lambda operate that may inject a malicious admin position or backdoor right into a given CloudFormation template file each time it is uploaded to the bucket
Within the remaining stage, when the consumer deploys the CDK utilizing “cdk deploy,” not solely does the method ship the template to the duplicate bucket, but additionally inject an admin position that the attacker can assume to in the end achieve management of the sufferer’s account.
Put in a different way, the assault chain facilitates the creation of an admin position in a goal AWS account when a CDK S3 bucket arrange throughout the bootstrap course of is deleted and the CDK is used once more. AWS has since confirmed that roughly 1% of CDK customers had been weak to the assault vector.
The repair put in place by AWS ensures that belongings are solely uploaded to buckets throughout the consumer’s account in order to stop the CDK from pushing knowledge to buckets not owned by the account that launched the bootstrapping. It has additionally urged prospects to make use of a bespoke qualifier as a substitute of the default “hnb659fds.”
In an announcement shared with The Hacker Information, AWS stated investigated and addressed all issues associated to unauthorized knowledge publicity when finishing up CDK deployments.
“On July 12, 2024, AWS launched an replace to the AWS Cloud Improvement Package (AWS CDK) CLI that carried out extra security controls to mitigate the potential for knowledge disclosure for patrons performing CDK deployments,” an AWS spokesperson informed the publication.
“Clients utilizing the most recent model might want to carry out a one-time motion to improve their bootstrap sources. AWS has reached out to doubtlessly affected prospects on to notify them of the necessity to improve, and has added extra checks to the CLI to remind customers to improve.”
That stated, consumer motion is required if bootstrapping was carried out utilizing CDK model v2.148.1 or earlier, necessitating that they replace the CDK to the most recent model and re-run the bootstrap command. Alternatively, customers have the choice of making use of an IAM coverage situation to the FilePublishingRole CDK position.
The findings as soon as once more name for conserving AWS account IDs a secret, defining a scoped IAM coverage, and avoiding giving predictable names to S3 buckets.
“As a substitute, generate distinctive hashes or random identifiers per area and account, and incorporate them into your S3 bucket names,” Aqua concluded. “This technique helps shield towards attackers preemptively claiming your bucket.”
The disclosure comes as Broadcom-owned Symantec discovered a number of Android and iOS apps that hard-coded and unencrypted cloud service credentials for AWS and Microsoft Azure Blob Storage, placing consumer knowledge in danger.
Among the offending apps embody Pic Sew: Collage Maker, Crumbl, Eureka: Earn Cash for Surveys, Videoshop – Video Editor, Meru Cabs, Sulekha Enterprise, and ReSound Tinnitus Aid.
“This harmful observe implies that anybody with entry to the app’s binary or supply code might doubtlessly extract these credentials and misuse them to control or exfiltrate knowledge, resulting in extreme security breaches,” security researchers Yuanjing Guo and Tommy Dong stated.
(The story was up to date after publication to incorporate a response from AWS.)
