Cybersecurity researchers have disclosed a safety flaw impacting Amazon Net Providers (AWS) Cloud Improvement Equipment (CDK) that would have resulted in an account takeover underneath particular circumstances.
“The impact of this issue could, in certain scenarios, allow an attacker to gain administrative access to a target AWS account, resulting in a full account takeover,” Aqua stated in a report shared with The Hacker Information.
Following accountable disclosure on June 27, 2024, the difficulty was addressed by the challenge maintainers in CDK model 2.149.0 launched in July.
AWS CDK is an open-source software program growth framework for outlining cloud utility sources utilizing Python, TypeScript, or JavaScript and provisioning them by way of CloudFormation.
The issue recognized by Aqua builds upon prior findings from the cloud safety agency about shadow sources in AWS, and the way predefined naming conventions for AWS Easy Storage Service (S3) buckets may very well be weaponized to orchestrate Bucket Monopoly assaults and acquire entry to delicate knowledge.
Making ready an AWS setting for utilization with the AWS Cloud Improvement Equipment (AWS CDK) is completed by a course of known as bootstrapping, whereby sure AWS sources are provisioned to the setting. This consists of an AWS S3 bucket, Amazon Elastic Container Registry (Amazon ECR) repository, and AWS Id and Entry Administration (IAM) roles.
“Resources and their configuration that are used by the CDK are defined in an AWS CloudFormation template,” in response to AWS documentation.
“To bootstrap an environment, you use the AWS CDK Command Line Interface (AWS CDK CLI) cdk bootstrap command. The CDK CLI retrieves the template and deploys it to AWS CloudFormation as a stack, known as the bootstrap stack. By default, the stack name is CDKToolkit.”
A number of the IAM roles created as a part of the bootstrapping course of grant permission to add and delete property from the related S3 bucket, in addition to carry out stack deployments with administrator entry.
Aqua stated the naming sample of the IAM roles created by AWS CDK follows the construction “cdk-{Qualifier}-{Description}-{Account-ID}-{Region},” the place every of the fields are defined beneath –
- Qualifier, a novel, nine-character string worth that defaults to “hnb659fds” though it may be personalized in the course of the bootstrapping part
- Description, useful resource description (e.g., cfn-exec-role)
- Account-ID, AWS account ID of the setting
- Area, AWS area of the setting
In the same vein, the S3 bucket created throughout bootstrapping follows the naming sample “cdk-{Qualifier}-assets-{Account-ID}-{Region}.”
“Since many users run the cdk bootstrap command without customizing the qualifier, the S3 bucket naming pattern of the staging bucket becomes predictable,” Aqua stated. “This is because the default value for the bucket name qualifier is set to ‘hnb659fds,’ making it easier to anticipate the bucket’s name.”
With hundreds of cases found on GitHub the place the default qualifier is used, this additionally signifies that guessing the bucket’s identify is so simple as discovering the AWS Account ID and the area to which the CDK is deployed.
Combining this side with the truth that S3 bucket names are globally distinctive throughout all AWS accounts, the loophole opens the door for what’s known as S3 Bucket Namesquatting (or Bucket Sniping), permitting an attacker to say one other consumer’s CDK bucket if it does not exist already.
This might then pave the best way for a partial denial-of-service (DoS) when a consumer makes an attempt to bootstrap the CDK with the identical account ID and area, a situation that may very well be resolved by specifying a customized qualifier throughout bootstrapping.
A extra critical consequence may happen if the sufferer’s CDK has permission to each learn and write knowledge from and to the attacker-controlled S3 bucket, thereby making it doable to tamper with CloudFormation templates and execute malicious actions throughout the sufferer’s AWS account.
“The deploy role of the CloudFormation service, which is the role CloudFormationExecutionRole in CDK, has administrative privileges within the account by default,” Aqua identified.
“This means that any CloudFormation template written to the attacker’s S3 bucket by the victim’s CDK would be deployed later with administrative privileges in the victim’s account. This would allow the attacker to create privileged resources.”
In a hypothetical assault, ought to a consumer have initiated the CDK bootstrap course of up to now and subsequently deleted the S3 bucket on account of quota limits, an adversary may make the most of the state of affairs to create a bucket with the identical identify.
This might then trigger the CDK to implicitly belief the rogue bucket and browse/write CloudFormation templates to it, making them inclined to exploitation. Nevertheless, for this to succeed, the attacker is anticipated to fulfil the beneath conditions –
Declare the bucket with the predictable identify and permit public entry
Create a Lambda operate that may inject a malicious admin function or backdoor right into a given CloudFormation template file every time it is uploaded to the bucket
Within the last stage, when the consumer deploys the CDK utilizing “cdk deploy,” not solely does the method ship the template to the reproduction bucket, but additionally inject an admin function that the attacker can assume to in the end acquire management of the sufferer’s account.
Put in another way, the assault chain facilitates the creation of an admin function in a goal AWS account when a CDK S3 bucket arrange in the course of the bootstrap course of is deleted and the CDK is used once more. AWS has since confirmed that roughly 1% of CDK customers had been susceptible to the assault vector.
The repair put in place by AWS ensures that property are solely uploaded to buckets throughout the consumer’s account in order to forestall the CDK from pushing knowledge to buckets not owned by the account that launched the bootstrapping. It has additionally urged clients to make use of a bespoke qualifier as a substitute of the default “hnb659fds.”
That stated, consumer motion is required if bootstrapping was carried out utilizing CDK model v2.148.1 or earlier, necessitating that they replace the CDK to the newest model and re-run the bootstrap command. Alternatively, customers have the choice of making use of an IAM coverage situation to the FilePublishingRole CDK function.
The findings as soon as once more name for conserving AWS account IDs a secret, defining a scoped IAM coverage, and avoiding giving predictable names to S3 buckets.
“Instead, generate unique hashes or random identifiers per region and account, and incorporate them into your S3 bucket names,” Aqua concluded. “This strategy helps protect against attackers preemptively claiming your bucket.”
The disclosure comes as Broadcom-owned Symantec discovered a number of Android and iOS apps that hard-coded and unencrypted cloud service credentials for AWS and Microsoft Azure Blob Storage, placing consumer knowledge in danger.
A number of the offending apps embrace Pic Sew: Collage Maker, Crumbl, Eureka: Earn Cash for Surveys, Videoshop – Video Editor, Meru Cabs, Sulekha Enterprise, and ReSound Tinnitus Aid.
“This dangerous practice means that anyone with access to the app’s binary or source code could potentially extract these credentials and misuse them to manipulate or exfiltrate data, leading to severe security breaches,” safety researchers Yuanjing Guo and Tommy Dong stated.