Man
Professional
- Messages
- 3,077
- Reaction score
- 614
- Points
- 113
A common omission served as a starting point for large-scale attacks.
Cybersecurity researchers have identified a vulnerability in the Cloud Development Kit (CDK) from Amazon Web Services (AWS), which, under certain conditions, leads to account takeover. According to today's report from Aqua Security, the problem allows attackers to gain administrative access to the target AWS account, which opens up the possibility of full control over the account.
CDK is an open-source framework for defining cloud resources using Python, TypeScript, or JavaScript and then deploying them through CloudFormation. The problem is related to the use of predictable naming patterns for IAM roles and S3 buckets.
Aqua noted that due to the common use of the standard identifier "hnb659fds" to create S3 buckets during the bootstrapping process, attackers can capture such buckets in advance. This opens up the possibility of a "bucket sniping" attack, in which the attacker creates an S3 bucket with the expected name before the user, blocking his access to the resource.
If a bucket is accidentally deleted and then recreated with the same name by an attacker, the CDK can trust the bucket and use it to write and read data, allowing the introduction of malicious CloudFormation templates. In this case, the attacker gets the opportunity to deploy resources with administrator privileges.
The bug was fixed in CDK version 2.149.0, released in July 2024, after being notified of the vulnerability on June 27. AWS noted that approximately 1% of CDK users were affected by this vulnerability.
The fix ensures that data will only be uploaded to buckets belonging to the account that initialized. In addition, users are advised to avoid using standard identifiers and instead use unique identifiers for buckets.
AWS also called for the CDK to be updated to the latest version and to re-execute the initialization command to mitigate the risk. As an additional security measure, it is suggested to configure IAM policies with restrictions on file publishing.
Source
Cybersecurity researchers have identified a vulnerability in the Cloud Development Kit (CDK) from Amazon Web Services (AWS), which, under certain conditions, leads to account takeover. According to today's report from Aqua Security, the problem allows attackers to gain administrative access to the target AWS account, which opens up the possibility of full control over the account.
CDK is an open-source framework for defining cloud resources using Python, TypeScript, or JavaScript and then deploying them through CloudFormation. The problem is related to the use of predictable naming patterns for IAM roles and S3 buckets.
Aqua noted that due to the common use of the standard identifier "hnb659fds" to create S3 buckets during the bootstrapping process, attackers can capture such buckets in advance. This opens up the possibility of a "bucket sniping" attack, in which the attacker creates an S3 bucket with the expected name before the user, blocking his access to the resource.
If a bucket is accidentally deleted and then recreated with the same name by an attacker, the CDK can trust the bucket and use it to write and read data, allowing the introduction of malicious CloudFormation templates. In this case, the attacker gets the opportunity to deploy resources with administrator privileges.
The bug was fixed in CDK version 2.149.0, released in July 2024, after being notified of the vulnerability on June 27. AWS noted that approximately 1% of CDK users were affected by this vulnerability.
The fix ensures that data will only be uploaded to buckets belonging to the account that initialized. In addition, users are advised to avoid using standard identifiers and instead use unique identifiers for buckets.
AWS also called for the CDK to be updated to the latest version and to re-execute the initialization command to mitigate the risk. As an additional security measure, it is suggested to configure IAM policies with restrictions on file publishing.
Source
