Key Findings

• A vulnerability in the AWS Console supply chain, dubbed "CodeBreach," could have allowed attackers to seize control of critical AWS infrastructure.

• The flaw stemmed from a seemingly minor misconfiguration in a regular expression (regex) used to filter pull requests in AWS CodeBuild pipelines.

• The lack of "start ^ and end $ anchors" in the regex pattern enabled malicious actors to bypass the filter and trigger privileged builds.

• Wiz researchers were able to exploit the vulnerability and obtain administrative control over the AWS JavaScript SDK repository, a core library powering the AWS Console.

• The potential impact was massive, as the JavaScript SDK is included in 66% of cloud environments, including the AWS Console itself.

Background

The CodeBreach vulnerability was discovered by security researchers at Wiz, a cloud security company. The flaw was found in how AWS's CodeBuild CI pipelines handled pull requests to prevent unauthorized users from triggering builds.

The projects used an ACTOR_ID filter, which was intended to be an allow-list of approved maintainers. However, the implementation of this filter had a critical flaw. The filter used a pipe-separated list of IDs (e.g., 123|456|789) that was interpreted as a regular expression (regex) pattern.

The Regex Flaw

The issue with the regex pattern was the lack of "start ^ and end $ anchors." Without these anchors, the regex engine did not require an exact match, but instead looked for a string that merely contained the pattern.

This meant that any GitHub user whose ID contained the ID of a trusted maintainer could bypass the filter and trigger a privileged build. Wiz researchers realized that because GitHub assigns user IDs sequentially, they could predict when a "superstring" ID would become available, a window of opportunity they dubbed an "ID Eclipse."

Exploiting the Vulnerability

By monitoring the creation of new GitHub IDs and launching a coordinated registration burst, Wiz researchers successfully claimed a user ID that shadowed a trusted maintainer for the AWS JavaScript SDK. With this account, they submitted a pull request that bypassed the filter, allowing them to obtain the GitHub credentials of the aws-sdk-js-v3 CodeBuild project.

Potential Impact

The compromised credentials granted full administrative control over the repository. An attacker could have injected malicious code into the SDK, which is "released on a weekly basis to GitHub and then to NPM." Given that the JavaScript SDK is used in 66% of cloud environments, including the AWS Console itself, the potential blast radius was massive, "threatening every AWS account."

AWS's Response and Mitigation

Upon disclosure, AWS acted swiftly and mitigated the issue within 48 hours. The cloud giant fixed the regex patterns and implemented broader hardening measures. AWS also introduced a new Pull Request Comment Approval build gate in CodeBuild, offering organizations "a simple and secure path to prevent untrusted builds."

Lessons Learned

Wiz emphasizes that this incident is part of a growing trend of attackers targeting CI/CD environments. The researchers urge organizations to review their own CodeBuild configurations and ensure that "untrusted contributions should never trigger privileged pipelines."

Sources

• https://securityonline.info/codebreach-missing-regex-anchors-exposed-aws-console-to-takeover/

• https://x.com/the_yellow_fall/status/2012364212001996973