"Wiz Security's research team identified that a subset of repositories configured regular expressions for AWS CodeBuild webhook filters intended to limit trusted actor IDs, but these filters were insufficient, allowing a predictably acquired actor ID to gain administrative permissions. The four affected repositories that put the AWS Console supply chain at risk were the AWS SDK for JavaScript v3, the general-purpose cryptographic library aws-lc, amazon-corretto-crypto-provider, and awslabs/open-data-registry, a repository of publicly available datasets accessible from AWS resources."
"The ACTOR_ID filter that checked which GitHub users could trigger builds was missing the start (^) and end ($) anchors, allowing any user ID containing a trusted ID as a substring to bypass the restriction. Because GitHub IDs are sequential, researchers created automated GitHub Apps and captured credentials from the build cache, gaining full admin access to the compromised repositories. As the AWS SDK for JavaScript is bundled with the AWS Console, a successful attack could have compromised the console supply chain."
Multiple AWS-managed open-source repositories contained a CodeBuild webhook configuration flaw that allowed attackers to bypass trusted actor filters. A missing start (^) and end ($) anchor in the ACTOR_ID regex permitted any GitHub user ID containing a trusted ID substring to trigger builds. Attackers exploited sequential GitHub IDs by creating automated GitHub Apps, obtained credentials from the build cache, and gained full administrative access to affected repositories. The four impacted repositories included AWS SDK for JavaScript v3, aws-lc, amazon-corretto-crypto-provider, and awslabs/open-data-registry. Because the AWS SDK for JavaScript is bundled with the AWS Console, the vulnerability risked a wide console supply-chain compromise.
Read at InfoQ
Unable to calculate read time
Collection
[
|
...
]