AWS recently published a security bulletin acknowledging a configuration issue affecting some popular AWS-managed open-source GitHub repositories. Dubbed CodeBreach, the critical vulnerability could have resulted in the introduction of malicious code and hijacking of the repositories leveraging AWS CodeBuild.
Wiz Security’s research team identified that a subset of repositories configured regular expressions for AWS CodeBuild webhook filters intended to limit trusted actor IDs, but these filters were insufficient, allowing a predictably acquired actor ID to gain administrative permissions. The four affected repositories that put the AWS Console supply chain at risk were the AWS SDK for JavaScript v3, the general-purpose cryptographic library aws-lc, amazon-corretto-crypto-provider, and awslabs/open-data-registry, a repository of publicly available datasets accessible from AWS resources.
Yuval Avrahami, vulnerability researcher at Wiz, and Nir Ohfeld, head of vulnerability research at Wiz, explain:
The vulnerability stemmed from a subtle flaw in how the repositories’ AWS CodeBuild CI pipelines handled build triggers. Just two missing characters in a Regex filter allowed unauthenticated attackers to infiltrate the build environment and leak privileged credentials.
The ACTOR_ID filter that checked which GitHub users could trigger builds was missing the start (^) and end ($) anchors, allowing any user ID containing a trusted ID as a substring to bypass the restriction. Because GitHub IDs are sequential, researchers created automated GitHub Apps and captured credentials from the build cache, gaining full admin access to the compromised repositories. As the AWS SDK for JavaScript is bundled with the AWS Console, a successful attack could have compromised the console supply chain for countless AWS accounts.
While confirming the vulnerability and thanking Wiz Security’s research team for identifying the issue, the cloud provider confirmed that no such misconfigurations exist across other AWS-managed open-source repositories. The issue in the affected repositories was mitigated within 48 hours of initial disclosure. Avrahami and Ohfeld add:
This issue follows a familiar pattern seen in recent supply-chain attacks like the Nx S1ngularity incident, where subtle CI/CD misconfigurations lead to disproportionately impactful attacks. Just last July, a threat actor abused a similar CodeBuild issue to launch a supply chain attack against users of the Amazon Q VS Code extension.
As similar attacks are becoming more prevalent, Wiz encourages organizations to harden their CI/CD pipelines, ensuring that any access controls using the ACTOR_ID filter are properly scoped and configured to allow only allow-listed identities. User hashkent comments on Reddit:
It feels like it’s getting harder to keep your source code secure. Getting scary out there.
This and other recent attacks highlight the importance of not allowing untrusted contributions to run privileged CI/CD pipelines. Corey Quinn, chief cloud economist at The Duckbill Group, comments:
This is the second major CodeBuild lapse in the past year. Something in the water over there? Pro tip: if AWS can't configure their own security correctly, maybe double-check yours.
The CodeBreach vulnerability was initially reported by Wiz to AWS on August 25, with the cloud provider anchoring the vulnerable actor ID filters and revoking the personal access token of aws-sdk-js-automation on August 27. Additional hardening to prevent non-privileged builds from accessing project credentials via memory dumping was implemented in September, but public disclosure did not occur until January 15.