Amazon fixes flaw that threatened 66% of cloud infrastructure
TL;DR
A critical flaw in Amazon Web Services (<strong>AWS</strong>) <strong>CodeBuild</strong> service posed a risk to 66% of cloud computing environments globally. Identified by security firm <strong>Wiz</strong> and dubbed <strong>CodeBreach</strong>, the vulnerability was patched in September 2024 before malicious actions could occur.
A critical flaw in the CodeBuild service of Amazon Web Services (AWS) posed a risk to 66% of global cloud computing environments. Identified by the security firm Wiz and called CodeBreach, the vulnerability was patched in September 2024, before malicious actions could occur.
The vulnerability originated from regular expressions used to validate user IDs in CodeBuild. The absence of special characters ^ (start) and $ (end) allowed improper IDs to be accepted, enhancing the risk of a supply chain attack.
How the vulnerability was identified
The Wiz team investigated AWS’s continuous integration pipeline after noticing an attack on the Amazon Q extension for VS Code. During their analysis, they discovered that the access control filter of CodeBuild was misconfigured.
The filter known as ACTOR_ID operated with a permissions list that was not restrictive enough due to flaws in the regular expressions. This allowed any ID containing a trusted ID to pass the security check.
Ease of exploitation
The team demonstrated the ease of exploiting the flaw by creating 200 automated applications on GitHub, generating sequential IDs. In this way, a malicious ID was quickly identified that managed to bypass the security filters.
The researchers then proposed an apparently legitimate commit with hidden code to steal GitHub credentials during compilation, which could have disastrous results.
The extent of the risk
The flaw affected significant repositories of AWS, with the most critical being the AWS SDK for JavaScript, used in 66% of cloud environments. Its issues could have serious consequences, especially due to its presence in the AWS management console.
Comparison with previous incidents
The potential impact was compared to the SolarWinds attack in 2020, which compromised around 18,000 customers. In this context, the possibility of a similar supply chain attack on AWS raised significant concerns, as it could grant direct access to sensitive information and critical systems.
Hypothetical attack scenario
If criminals had discovered the vulnerability, they could have created several applications to obtain a malicious ID, passing security checks and inserting malicious code in a pull request. Compromising the SDK could lead to the installation of a backdoor, with severe consequences for millions of applications.
Rapid resolution by AWS
After being notified by Wiz in August 2024, AWS fixed the flaw within 48 hours, adjusting the regular expressions to include the necessary anchors. Audits ensured that no exploitation occurred by other agents, and additional security measures were implemented to prevent future incidents.
A thorough analysis of CloudTrail logs reaffirmed the certainty that system security had been restored and new protection methods were implemented in the build processes.
Content selected and edited with AI assistance. Original sources referenced above.
