Just two characters short! Amazon Web Services' own GitHub repository was nearly breached, raising red flags for supply chain security

Amazon Web Services recently released a security announcement confirming that some popular open-source GitHub repositories managed by Amazon Web Services have configuration issues. This high-risk vulnerability, named CodeBreach, could allow malicious code to be introduced into the repositories, potentially leading to the takeover of repositories that rely on AWS CodeBuild. The research team at Wiz Security discovered that some repositories used regular expressions to restrict trusted trigger IDs when configuring for AWS CodeBuild, but these filtering rules were insufficient, allowing attackers to exploit predictably obtainable actor IDs to gain administrative privileges. A total of four repositories were affected and posed risks to the AWS Console supply chain, namely: AWS SDK for JavaScript v3, a general encryption library, and a public dataset repository accessible through AWS resources. Wiz's vulnerability researcher and the head of Wiz vulnerability research explained: Specifically, the ACTOR_ID filtering rules used to verify which GitHub users can trigger builds lacked start (^) and end ($) symbols, allowing any user whose ID "contains" a trusted ID as a substring to bypass the restrictions. Since GitHub user IDs are assigned sequentially, researchers were able to create an automated GitHub App to capture credentials from the build cache, ultimately gaining full administrative access to the affected repositories. Given that AWS SDK for JavaScript is packaged within AWS Console, a successful attack could jeopardize the console supply chain relied upon by countless AWS accounts. Amazon Web Services confirmed the existence of the vulnerability and thanked the Wiz Security research team for identifying the issue, stating that other open-source repositories managed by Amazon Web Services do not have similar misconfigurations. The issues in the affected repositories were resolved within 48 hours of the initial disclosure. Avrahami and Ohfeld further pointed out: As such attacks become more frequent, Wiz calls on organizations to further strengthen their CI/CD pipelines, ensuring that all access controls based on ACTOR_ID are strictly limited and correctly configured, allowing only identities on the whitelist to trigger builds. Reddit user hashkent stated: This incident and other recent attacks highlight an important principle: never allow untrusted contributions to trigger high-privilege CI/CD pipelines. Corey Quinn, Chief Cloud Economist at The Duckbill Group, also stated: According to reports, the CodeBreach vulnerability was first reported to Amazon Web Services by Wiz on August 25. Amazon Web Services subsequently added anchors to the problematic actor ID filtering rules on August 27 and revoked the personal access token for aws-sdk-js-automation In September, Amazon Web Services further strengthened security measures to prevent non-privileged builds from accessing project credentials through memory dumps. However, the incident was not officially disclosed until January 15