A recent discovery has shed light on a vulnerability within the Amazon Web Services Cloud Development Kit (CDK) that poses a significant security risk to users. The CDK, a popular open source tool used by cyber teams to build software-defined cloud infrastructure, has been found to create a “staging” S3 bucket with a predictable naming convention during deployment. This naming convention, if exploited by malicious actors, could grant them total administrative access to the associated AWS account.
Researchers from Aqua, in a new report, revealed that approximately 1% of CDK users are impacted by this vulnerability. AWS has acknowledged the issue and notified affected users in mid-October. Users of CDK versions earlier than v2.148.1 are advised to take action to mitigate the risk.
Yakir Kadkoda, lead security researcher at Aqua, emphasized the importance for open source projects relying on AWS to avoid using predictable bucket names. He suggested that these projects should allow users to modify the bucket name or implement checks to prevent such vulnerabilities from arising.
The vulnerability, which does not have an associated CVE number, leaves users at risk of potential exploitation by threat actors. Kadkoda noted that it is impossible to determine if the vulnerability has been actively exploited in the wild.
The report also delves into the concept of S3 bucket namesquatting and bucket sniping, which are methods that threat actors can use to exploit the vulnerability. During the bootstrapping process, AWS creates an S3 staging bucket with a specific naming pattern that includes the account ID and region. By manipulating these fields, attackers can gain unauthorized access to existing buckets and create new ones, allowing them to execute malicious code within the target AWS account.
By setting up a bucket ahead of time, threat actors can intercept the bootstrap process and tamper with CloudFormation templates stored in the CDK staging bucket. This manipulation could lead to the injection of malicious resources into the victim’s account during deployment.
The Aqua report underscores the importance of avoiding easily guessed names for S3 buckets in open source tools, as highlighted in their previous analysis. Kadkoda reiterated the significance of safeguarding the AWS account ID to prevent vulnerabilities like the one discovered in the CDK.
In conclusion, the vulnerability in the AWS CDK serves as a stark reminder of the security risks associated with predictable naming conventions in cloud infrastructure. Users are urged to take proactive measures to secure their AWS accounts and avoid falling victim to potential exploitation by threat actors.