An AWS CodeBuild vulnerability could’ve caused supply chain chaos – luckily a fix was applied before disaster struck
A single misconfiguration could have allowed attackers to inject malicious code to launch a platform-wide compromise
Amazon Web Services (AWS) is downplaying reports that a CodeBuild vulnerability could have compromised thousands of enterprise user accounts.
CodeBuild is a managed Continuous Integration (CI) service that’s often connected to GitHub repositories, triggering builds on events like new pull requests.
The vulnerability, dubbed by Wiz researchers as ‘CodeBreach’, stemmed from a subtle flaw in how core AWS GitHub repositories handled build triggers.
"The issue allowed a complete takeover of key AWS GitHub repositories - most notably the AWS JavaScript SDK, a core library that powers the AWS Console," said Wiz.
"By exploiting CodeBreach, attackers could have injected malicious code to launch a platform-wide compromise, potentially affecting not just the countless applications depending on the SDK, but the Console itself, threatening every AWS account."
Researchers found that just two missing characters in a Regex security filter - the start (^) and end ($) anchors - allowed unauthenticated attackers to compromise the build environment and leak privileged credentials.
These anchors are essential to ensuring an exact match; without them, the filter simply searches for a string that contains the pattern. As a result, Wiz said any GitHub user ID containing an approved maintainer’s ID as a substring would look legitimate.
“This creates a critical risk: if an attacker can compromise a single build, they are just a memory dump away from stealing credentials that often possess powerful permissions over the source repository,” the company explained in a blog post.
How the CodeBuild vulnerability was discovered
In dissecting the vulnerability, Wiz researchers created thousands of GitHub bot accounts until one matched the criteria, allowing them to push a pull request that looked legitimate.
This successfully extracted GitHub credentials for the aws-sdk-js-automation account, which had admin privileges over several AWS repositories, including private ones.
Wiz acknowledged that the issue wasn't a service-wide flaw, but warned that CodeBuild customers could introduce the same misconfiguration to their own projects.
The company disclosed its findings to AWS, which fixed the issue within 48 hours.
AWS also implemented global hardening measures within the CodeBuild service to prevent similar attacks, most notably with a new Pull Request Comment Approval build gate.
The company said it had audited all AWS-managed open source GitHub repositories, and found that none involved this type of misconfiguration.
"These activities had no impact to any AWS customer environments and did not impact any AWS services or infrastructure. No customer action is required," said the firm.
Regardless, Wiz recommends that CodeBuild users should enable the new Pull Request Comment Approval build gate or use CodeBuild-hosted runners to manage build triggers via GitHub workflows.
If there's really a need for webhook filters, they should ensure their regex patterns are anchored.
Organizations should also secure the CodeBuild-GitHub connection by generating a unique, fine-grained Personal Access Token (PAT) for each CodeBuild project, strictly limiting the PAT's permissions to the minimum required, and perhaps using a dedicated unprivileged GitHub account for the CodeBuild integration.
FOLLOW US ON SOCIAL MEDIA
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
You can also follow ITPro on LinkedIn, X, Facebook, and BlueSky.
-
AWS CEO Matt Garman isn’t convinced AI spells the end of the software industryNews Software stocks have taken a beating in recent weeks, but AWS CEO Matt Garman has joined Nvidia's Jensen Huang and Databricks CEO Ali Ghodsi in pouring cold water on the AI-fueled hysteria.
-
Deepfake business risks are growingIn-depth As the risk of being targeted by deepfakes increases, what should businesses be looking out for?
-
Microsoft patches six zero-days targeting Windows, Word, and more – here’s what you need to knowNews Patch Tuesday update targets large number of vulnerabilities already being used by attackers
-
Notepad++ hackers remained undetected and pushed malicious updates for six months – here’s who’s responsible, how they did it, and how to check if you’ve been affectedNews Hackers remained undetected for months and distributed malicious updates to Notepad++ users after breaching the text editor software – here's how to check if you've been affected.
-
CISA’s interim chief uploaded sensitive documents to a public version of ChatGPT – security experts explain why you should never do thatNews The incident at CISA raises yet more concerns about the rise of ‘shadow AI’ and data protection risks
-
Former Google engineer convicted of economic espionage after stealing thousands of secret AI, supercomputing documentsNews Linwei Ding told Chinese investors he could build a world-class supercomputer
-
90% of companies are woefully unprepared for quantum security threats – analysts say they need to get a move onNews Quantum security threats are coming, but a Bain & Company survey shows systems aren't yet in place to prevent widespread chaos
-
LastPass issues alert as customers targeted in new phishing campaignNews LastPass has urged customers to be on the alert for phishing emails amidst an ongoing scam campaign that encourages users to backup vaults.
-
NCSC names and shames pro-Russia hacktivist group amid escalating DDoS attacks on UK public servicesNews Russia-linked hacktivists are increasingly trying to cause chaos for UK organizations
-
There’s a dangerous new ransomware variant on the block – and cyber experts warn it’s flying under the radarNews The new DeadLock ransomware family is taking off in the wild, researchers warn
