Cyber security news for all

More

    AWS Cloud Development Kit Vulnerability Presents Risk of Account Compromise

    Security experts have revealed a critical flaw within the AWS Cloud Development Kit (CDK) that could have allowed adversaries to seize control of user accounts under specific circumstances.

    “The implications of this vulnerability could, in certain cases, enable an attacker to acquire administrative privileges over a targeted AWS account, leading to full account takeover,” cybersecurity firm Aqua noted in a report shared with The Hacker News.

    Following a responsible disclosure on June 27, 2024, the project maintainers remedied the issue with the release of CDK version 2.149.0 in July.

    The AWS CDK is a versatile open-source framework designed for provisioning cloud resources via CloudFormation by using programming languages like Python, TypeScript, or JavaScript.

    The flaw, identified by Aqua, builds upon previous discoveries related to shadow resources in AWS environments, particularly the exploitation of naming conventions for Amazon S3 buckets. This vulnerability enables malicious actors to conduct Bucket Monopoly attacks, potentially gaining unauthorized access to sensitive data.

    The AWS CDK bootstraps environments by provisioning necessary resources, such as an S3 bucket, an Amazon Elastic Container Registry (ECR), and Identity and Access Management (IAM) roles.

    “CDK resources and their configurations are orchestrated via AWS CloudFormation templates,” as per AWS documentation.

    The bootstrapping process, initiated using the cdk bootstrap command from the AWS CDK CLI, creates a CloudFormation stack with a default name: CDKToolkit. IAM roles formed during this setup grant permissions for asset upload and deletion in the associated S3 bucket, as well as admin-level rights for deployment.

    Aqua pointed out that the IAM roles adhere to a consistent naming convention:

    • Qualifier: A unique nine-character string, defaulting to “hnb659fds” unless customized.
    • Description: A brief role descriptor (e.g., cfn-exec-role).
    • Account-ID: The target AWS account ID.
    • Region: The AWS region in which the environment operates.

    Similarly, S3 buckets follow a predictable pattern: cdk-{Qualifier}-assets-{Account-ID}-{Region}. This pattern’s predictability arises from the default “hnb659fds” qualifier, which many users fail to alter during bootstrapping. Aqua highlighted that thousands of cases on GitHub show the default qualifier in use, making S3 bucket names easier to predict.

    Because S3 bucket names must be globally unique across AWS accounts, this loophole could be exploited for S3 Bucket Namesquatting—allowing attackers to claim the name before an unsuspecting user does. This could lead to a denial-of-service (DoS) scenario when users try to bootstrap the CDK under the same account ID and region.

    An even graver threat arises if the victim’s CDK has permissions to read from and write to the malicious bucket, which could enable tampering with CloudFormation templates and the execution of malicious actions within the victim’s AWS environment.

    By default, the deploy role (CloudFormationExecutionRole) possesses administrative privileges, meaning any template written to the attacker’s bucket could later be executed with full access to the victim’s account.

    Aqua illustrated a hypothetical attack:
    If a user initiated bootstrapping previously and later deleted the associated S3 bucket due to quota limits, an attacker could create a new bucket using the same name. Once this bucket is in place, the CDK could inadvertently trust it, reading and writing templates vulnerable to exploitation.

    For the attack to be successful, the attacker would need to:

    1. Claim the predictable bucket name.
    2. Grant public access to the bucket.
    3. Create a Lambda function that injects a malicious admin role or backdoor into any CloudFormation template uploaded to the bucket.

    Upon deployment (cdk deploy), the CDK would upload the template to the attacker’s bucket, allowing the injected admin role to grant the attacker control over the account.

    The attack path essentially leads to the creation of an admin role in the victim’s AWS account once a CDK bucket is deleted and re-deployed. AWS has confirmed that around 1% of CDK users were susceptible to this attack vector.

    The fix implemented ensures that assets can only be uploaded to buckets within the user’s own account, preventing CDK from pushing data to unowned buckets. AWS has also advised customers to adopt a custom qualifier instead of the default “hnb659fds.”

    Users who bootstrapped using CDK versions prior to 2.149.0 are urged to upgrade to the latest version and re-run the bootstrap command. Alternatively, they can apply a restrictive IAM policy to the FilePublishingRole.

    The disclosure underscores the importance of safeguarding AWS account IDs, defining scoped IAM policies, and avoiding predictable S3 bucket names. Instead, Aqua recommends using unique hashes or random identifiers per region and account, and incorporating these into S3 bucket names.

    In a separate development, Symantec, now under Broadcom’s ownership, discovered numerous Android and iOS apps that hard-coded unencrypted cloud service credentials for AWS and Azure Blob Storage, jeopardizing user data. Among the affected apps were Pic Stitch: Collage Maker, Crumbl, and Videoshop – Video Editor, with these credentials leaving the door wide open for data manipulation and extraction.

    “This risky practice exposes sensitive cloud credentials, allowing anyone with access to the app’s binary or source code to misuse them, leading to severe security breaches,” noted researchers Yuanjing Guo and Tommy Dong.

    Recent Articles

    Related Stories