Security researchers at Wiz have discovered a critical vulnerability in the AWS CodeBuild service that could allow an attacker to take complete control of Amazon’s GitHub repositories and potentially compromise customer cloud environments worldwide.
The vulnerability, dubbed CodeBreach , was disclosed by Amazon last August and patched in September before it could be exploited. Researchers say this prevented a supply chain attack that could have surpassed the infamous SolarWinds incident.
“This vulnerability compromised a key library used in the AWS console, the cloud’s central nervous system,” Yuval Avrahami, a researcher at Wiz, told The Register. Avrahami emphasized that if the SolarWinds attack had allowed attackers to access corporate networks, this flaw could have allowed code execution directly within the interface through which administrators manage the entire infrastructure.
The cause of the vulnerability was revealed to be very simple: two characters were missing from the webhook filters . CodeBuild is Amazon’s managed continuous integration service that frequently connects to GitHub repositories. Special filters are used to protect against untrusted pull requests , and one of these, ACTOR_ID, allows you to create a list of approved GitHub users authorized to run builds.
The problem was that the regular expression for this filter wasn’t ” anchored ,” meaning it was missing the beginning and end of the string. Without them, the system wouldn’t require an exact ID match, but would only search for a substring. This meant that any GitHub user with an ID containing the ID of an approved maintainer could bypass the protection.
Wiz researchers found a way to register the required ID using the GitHub Apps feature, automating the creation of two hundred application registration requests. One of these was successful, allowing them to obtain the trusted ID of the maintainer of the AWS SDK for JavaScript repository.
They then prepared a pull request that seemed like a simple solution to a real problem. However, it contained a hidden payload: an NPM package dependency designed to extract GitHub credentials from the build environment. Within moments, the researchers had full access to the repository and were able to create an administrator with permissions to publish code to the master branch and approve pull requests.
The potential scope of the attack is impressive: according to Wiz, Amazon’s JavaScript SDK is used in 66% of cloud environments , and one of its users is the AWS console itself . An attacker could inject malicious code into the SDK shortly before its weekly release, infecting all users of the library.
According to Avrahami, carrying out such an attack didn’t require any special technical skills: an average developer’s level would have been sufficient. The real challenge was disguising the malicious code as if it were harmless.
Amazon stated that the vulnerability did not affect any of its customers’ environments or services. The cloud giant fixed the issue within 48 hours of the initial report, checked all public build environments , and reviewed logs, confirming that no one, other than Wiz researchers, had exploited the flaw. The company also published a security bulletin related to the incident.
However, Avrahami warns that this threat isn’t unique to AWS. This vulnerability exploits a security blind spot in CI/CD pipelines , and all major cloud providers and technology companies using GitHub Actions, Jenkins, or other continuous integration systems are at similar risk.
Follow us on Google News to receive daily updates on cybersecurity. Contact us if you would like to report news, insights or content for publication.
