An AWS CodeBuild vulnerability could’ve caused supply chain chaos – luckily a fix was applied before disaster struck
A single misconfiguration could have allowed attackers to inject malicious code to launch a platform-wide compromise
Amazon Web Services (AWS) is downplaying reports that a CodeBuild vulnerability could have compromised thousands of enterprise user accounts.
CodeBuild is a managed Continuous Integration (CI) service that’s often connected to GitHub repositories, triggering builds on events like new pull requests.
The vulnerability, dubbed by Wiz researchers as ‘CodeBreach’, stemmed from a subtle flaw in how core AWS GitHub repositories handled build triggers.
"The issue allowed a complete takeover of key AWS GitHub repositories - most notably the AWS JavaScript SDK, a core library that powers the AWS Console," said Wiz.
"By exploiting CodeBreach, attackers could have injected malicious code to launch a platform-wide compromise, potentially affecting not just the countless applications depending on the SDK, but the Console itself, threatening every AWS account."
Researchers found that just two missing characters in a Regex security filter - the start (^) and end ($) anchors - allowed unauthenticated attackers to compromise the build environment and leak privileged credentials.
These anchors are essential to ensuring an exact match; without them, the filter simply searches for a string that contains the pattern. As a result, Wiz said any GitHub user ID containing an approved maintainer’s ID as a substring would look legitimate.
“This creates a critical risk: if an attacker can compromise a single build, they are just a memory dump away from stealing credentials that often possess powerful permissions over the source repository,” the company explained in a blog post.
How the CodeBuild vulnerability was discovered
In dissecting the vulnerability, Wiz researchers created thousands of GitHub bot accounts until one matched the criteria, allowing them to push a pull request that looked legitimate.
This successfully extracted GitHub credentials for the aws-sdk-js-automation account, which had admin privileges over several AWS repositories, including private ones.
Wiz acknowledged that the issue wasn't a service-wide flaw, but warned that CodeBuild customers could introduce the same misconfiguration to their own projects.
The company disclosed its findings to AWS, which fixed the issue within 48 hours.
AWS also implemented global hardening measures within the CodeBuild service to prevent similar attacks, most notably with a new Pull Request Comment Approval build gate.
The company said it had audited all AWS-managed open source GitHub repositories, and found that none involved this type of misconfiguration.
"These activities had no impact to any AWS customer environments and did not impact any AWS services or infrastructure. No customer action is required," said the firm.
Regardless, Wiz recommends that CodeBuild users should enable the new Pull Request Comment Approval build gate or use CodeBuild-hosted runners to manage build triggers via GitHub workflows.
If there's really a need for webhook filters, they should ensure their regex patterns are anchored.
Organizations should also secure the CodeBuild-GitHub connection by generating a unique, fine-grained Personal Access Token (PAT) for each CodeBuild project, strictly limiting the PAT's permissions to the minimum required, and perhaps using a dedicated unprivileged GitHub account for the CodeBuild integration.
FOLLOW US ON SOCIAL MEDIA
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
You can also follow ITPro on LinkedIn, X, Facebook, and BlueSky.
-
AI mandates could spark a big battle with workersOpinion Forcing workers to adopt AI under the threat of poor performance reviews and losing out on promotions will only create friction
-
AI isn’t killing DevOps, you’re just using it wrongNews New research indicates that enterprises with mature DevOps processes are gaining the most from AI adoption
-
Using AI to generate passwords is a terrible idea, experts warnNews Researchers have warned the use of AI-generated passwords puts users and businesses at risk
-
Researchers called on LastPass, Dashlane, and Bitwarden to up defenses after severe flaws put 60 million users at risk – here’s how each company respondedNews Analysts at ETH Zurich called for cryptographic standard improvements after a host of password managers were found lacking
-
‘They are able to move fast now’: AI is expanding attack surfaces – and hackers are looking to reap the same rewards as enterprises with the technologyNews Potent new malware strains, faster attack times, and the rise of shadow AI are causing havoc
-
Ransomware gangs are using employee monitoring software as a springboard for cyber attacksNews Two attempted attacks aimed to exploit Net Monitor for Employees Professional and SimpleHelp
-
Microsoft patches six zero-days targeting Windows, Word, and more – here’s what you need to knowNews Patch Tuesday update targets large number of vulnerabilities already being used by attackers
-
Notepad++ hackers remained undetected and pushed malicious updates for six months – here’s who’s responsible, how they did it, and how to check if you’ve been affectedNews Hackers remained undetected for months and distributed malicious updates to Notepad++ users after breaching the text editor software – here's how to check if you've been affected.
-
CISA’s interim chief uploaded sensitive documents to a public version of ChatGPT – security experts explain why you should never do thatNews The incident at CISA raises yet more concerns about the rise of ‘shadow AI’ and data protection risks
-
Former Google engineer convicted of economic espionage after stealing thousands of secret AI, supercomputing documentsNews Linwei Ding told Chinese investors he could build a world-class supercomputer
