How to get full control over AWS repositories just by choosing a nice GitHub ID?
Researchers at Wiz discovered a critical vulnerability in AWS infrastructure that, under adverse conditions, could have compromised the entire Amazon Web Services ecosystem, including the management console and customer accounts worldwide.
The vulnerability concerns AWS CodeBuild, the service that automatically builds and subsequently deploys code for most Amazon projects. A flaw in the code allowed attackers to gain administrative access to key AWS repositories on GitHub, including those directly dependent on the AWS console.
In Wiz's case, the vulnerability was so severe that an unauthorized attacker could inject official code into official AWS libraries. This paved the way for a large-scale attack through the direct supply chain, potentially impacting millions of cloud environments.
The researchers dubbed the discovery CodeBreach. Exploiting a large number of flaws leaked privileged credentials, obtaining them, and then attacking, effectively becoming a repository administrator. In this state, it was possible to directly commit changes to the master code branch, approve any pull requests, and access secrets stored in the repository.
A particular danger was the compromise of the aws-sdk-js-v3 repository, Amazon's JavaScript SDK. This library underlies the AWS Console and is widely used by third-party developers. According to Wiz, the JavaScript SDK is used in approximately 66% of cloud environments, and its compromise could lead to a chain of delays.
The root cause of the problem turned out to be surprisingly simple. Wiz is a complex mechanism by which AWS determines which GitHub users have been thoroughly vetted by project maintainers. CodeBuild used a filter that checked GitHub user IDs using a simple expression.
The error occurred because the system failed to provide an exact ID match. If the trusted maintainer had the ID "12345," then the user with the ID "0123456" also validates the pass, as the string displays the selected character sequences.
GitHub issues numeric IDs sequentially, and in older accounts, they are converted. The researchers took advantage of this and tested multiple accounts until none received an ID that fulfilled the test filter. After this, the external researchers effectively became trusted contributors to the project.
Under this pretext, they submitted a pull request, taking into account the restrictions of an external NPM package configured with the latest GitHub credentials. A short time later, they were able to obtain an access token with full administrative rights for the aws-sdk-js-v3 repository. The token obtained was that of the administrator of the administrative account with administrative rights. This demonstrates complete control over the repository's capabilities and minor concurrent code injection. The JavaScript SDK is updated weekly and automatically published first to GitHub and then to NPM. An attacker could plant the code just before release, after which the infected version would spread across thousands of projects. This exploitation scheme has been used before. Just a month ago, attackers compromised Amazon Q user extensions for VS Code, demonstrating that such a scenario is indeed realistic.
Now the company has announced that the vulnerability has been patched and all associated risks have been closed.
At AWS, Wiz researchers limited the demonstration of harmless issues and immediately contacted their security team. In response, the company rotated credentials, strengthened build processes, and reviewed all of its public GitHub repositories.
According to AWS, there were no indications that the vulnerability had been exploited by real attackers.
As Wiz notes, such systems create ideal conditions for an attack with a significant barrier to entry and maximum impact. While there were no leaks or customer compromises in this case, the situation itself was a wake-up call for the entire industry.
Researchers at Wiz discovered a critical vulnerability in AWS infrastructure that, under adverse conditions, could have compromised the entire Amazon Web Services ecosystem, including the management console and customer accounts worldwide.
The vulnerability concerns AWS CodeBuild, the service that automatically builds and subsequently deploys code for most Amazon projects. A flaw in the code allowed attackers to gain administrative access to key AWS repositories on GitHub, including those directly dependent on the AWS console.
In Wiz's case, the vulnerability was so severe that an unauthorized attacker could inject official code into official AWS libraries. This paved the way for a large-scale attack through the direct supply chain, potentially impacting millions of cloud environments.
The researchers dubbed the discovery CodeBreach. Exploiting a large number of flaws leaked privileged credentials, obtaining them, and then attacking, effectively becoming a repository administrator. In this state, it was possible to directly commit changes to the master code branch, approve any pull requests, and access secrets stored in the repository.
A particular danger was the compromise of the aws-sdk-js-v3 repository, Amazon's JavaScript SDK. This library underlies the AWS Console and is widely used by third-party developers. According to Wiz, the JavaScript SDK is used in approximately 66% of cloud environments, and its compromise could lead to a chain of delays.
The root cause of the problem turned out to be surprisingly simple. Wiz is a complex mechanism by which AWS determines which GitHub users have been thoroughly vetted by project maintainers. CodeBuild used a filter that checked GitHub user IDs using a simple expression.
The error occurred because the system failed to provide an exact ID match. If the trusted maintainer had the ID "12345," then the user with the ID "0123456" also validates the pass, as the string displays the selected character sequences.
GitHub issues numeric IDs sequentially, and in older accounts, they are converted. The researchers took advantage of this and tested multiple accounts until none received an ID that fulfilled the test filter. After this, the external researchers effectively became trusted contributors to the project.
Under this pretext, they submitted a pull request, taking into account the restrictions of an external NPM package configured with the latest GitHub credentials. A short time later, they were able to obtain an access token with full administrative rights for the aws-sdk-js-v3 repository. The token obtained was that of the administrator of the administrative account with administrative rights. This demonstrates complete control over the repository's capabilities and minor concurrent code injection. The JavaScript SDK is updated weekly and automatically published first to GitHub and then to NPM. An attacker could plant the code just before release, after which the infected version would spread across thousands of projects. This exploitation scheme has been used before. Just a month ago, attackers compromised Amazon Q user extensions for VS Code, demonstrating that such a scenario is indeed realistic.
Now the company has announced that the vulnerability has been patched and all associated risks have been closed.
At AWS, Wiz researchers limited the demonstration of harmless issues and immediately contacted their security team. In response, the company rotated credentials, strengthened build processes, and reviewed all of its public GitHub repositories.
According to AWS, there were no indications that the vulnerability had been exploited by real attackers.
As Wiz notes, such systems create ideal conditions for an attack with a significant barrier to entry and maximum impact. While there were no leaks or customer compromises in this case, the situation itself was a wake-up call for the entire industry.
