Cybersecurity researchers revealed a new type of attack on confusion called Whoami, which allows anyone publishing Amazon’s image (Si) With a specific name to obtain the code within the Amazon Web Services account (AWS).
“When executed on scale, this attack can be used to access the thousands of accounts,” – Datadog Labs Security STH ART researcher – Note In a report that shared with Hacker News. “The vulnerable sample can be found in many private and open source repositors.”
At the heart of its attack is a supply seizure attack, which provides for the publication of a malicious resource and to reinforce the improperly customized software to use it instead of a legitimate colleague.
Attack uses the fact that anyone can ami indicates the image of a virtual machine used to download copies of elastic computing (EC2) in AWS, to the community catalog and the fact that developers may lower the mention to mention the “-authorities” attribute when search For one via EC2: Describe API.
Speaking otherwise, the confusion attack requires the execution below three conditions when the victim receives the AMI ID via API –
- Using a Filter Name,
- Do not specify either the owner, the owner, or the owner’s parameters or the owner,
- By extracting the most recently created image from the returned list of relevant images (“Most_recent = True”)
This leads to a script when an attacker can create a malicious AMI name that meets the sample specified in the search criteria, which will lead to EC2 copy using DoppelgäNger AMI.
This, in turn, provides the opportunity to execute the remote code (RCE), which allows the subject to initiate various actions after operation.
https://www.youtube.com/watch?v=l-wexfjd-bo
All the needs of the attacker is an AWS account to publish your rear AMI catalog and choose a name that fits what they sought for their goals.
“It’s very similar to Attack of confusion of addictionExcept that the last, malicious resource is a software addiction (such as PIP -package), whereas the WHOAMI is confused, the malicious resource is a virtual machine, “Art.
Datadog said approximately 1% of the organizations controlled by the company were hit by the WHOAMI attack, and that he found public examples written in Python, Go, Java, Terraform, Pulumi and Bash Shell using vulnerable criteria.
Following the responsible disclosure of information on September 16, 2024. Three days later, Amazon resolved the issue. Reaching out the comments, AWS told The Hacker News that he did not find any evidence that the technique had been abused in the wild.
“All AWS services act as developed. Based on extensive analysis and monitoring, our investigation has confirmed that the technique described in this study said.
“This technique can affect customers who extract Amazon Machine IDs (AMI) through EC2: Describe API without determining the value of the owner. In December 2024, we submitted AMIS, New Set up your account This allows customers to limit the opening and use of AMI in their AWS accounts. We recommend that customers evaluate and implement this New security control“
As of November last year, HASHICORP TERRAFORM began to release warnings to users when “Most_recent = True” is used without the owner’s filter at Terraform-Provider-Aws Version 5.77.0. Prevention Diagnosis await To upgrade to an error, effective version 6.0.0.
