Photo credit: www.darkreading.com
The Amazon Web Services Cloud Development Kit (CDK) is a widely adopted open-source tool that enables development teams to create software-defined cloud infrastructure easily using popular programming languages such as Python and JavaScript. However, a significant security concern has been identified: during deployment, the AWS CDK generates a “staging” S3 bucket with a naming scheme that is overly predictable, potentially allowing cybercriminals to gain complete administrative access to the linked account.
According to a recent report from security researchers at Aqua, this vulnerability has been confirmed to impact around 1% of AWS CDK users. AWS took steps to inform those affected by this problem in mid-October. Users operating with CDK versions v2.148.1 or earlier are advised to take precautionary measures.
Yakir Kadkoda, Aqua’s chief security researcher, emphasized the critical lesson for open-source projects that use AWS. “It’s essential for these projects to avoid predictable bucket names,” he stated. “Developers should either allow users to customize the names of the buckets created by the open-source software or include checks that prevent unauthorized access based on bucket ownership, to mitigate such vulnerabilities.”
Kadkoda also pointed out the uncertainty surrounding whether this vulnerability has been exploited in real-world scenarios, as it lacks an associated Common Vulnerabilities and Exposures (CVE) identifier.
Understanding S3 Bucket Namesquatting and Bucket Sniping
The vulnerability arises during the bootstrapping phase, in which AWS creates the S3 staging bucket for various deployment assets. The naming format for these buckets follows a consistent pattern: cdk-{qualifier}-assets-{account-ID}-{Region}. This predictability allows malicious actors to access any bucket by merely knowing the account ID and the region, the two variables that differ across buckets.
This situation not only gives attackers the means to infiltrate an existing S3 bucket but also to establish a new one entirely. If an attacker preemptively creates a bucket, the user will encounter an error when attempting to bootstrap the CDK since the process will conflict with the existing bucket, as detailed in Aqua’s report. It is recommended that users select a non-default qualifier when setting up their environment.
This exploitation strategy, referred to as “S3 bucket namesquatting” or “bucket sniping,” enables threat actors to run harmful code within the targeted AWS account.
The Aqua report further highlights that the CDK staging bucket contains critical CloudFormation templates. If infiltrated, these files can be easily modified by an attacker, facilitating the injection of harmful resources during deployment into an unsuspecting user’s account.
This latest study reinforces Aqua’s previous warnings regarding the risks associated with S3 buckets that employ easily guessed names within open-source tools.
Kadkoda concluded, “This research stresses the necessity of avoiding predictable bucket names and safeguarding the AWS account ID to prevent exposure to similar vulnerabilities in the future.”
Source
www.darkreading.com