Amazon Web Services (AWS) has patched a vulnerability in its Cloud Development Kit (CDK) that allowed threat actors to completely take over people’s accounts.
The AWS Cloud Development Kit (CDK) is an open source software development framework that allows developers to define cloud infrastructure using well-known programming languages such as TypeScript, Python, and Java. It simplifies the process of creating and managing AWS resources by converting code into AWS CloudFormation templates, enabling infrastructure as code (IaC) practices.
To deploy an app, users must first spin up the environment, including creating necessary components such as identity and access management (IAM) cabling, permissions, policies, and an S3 staging bucket. S3’s staging buckets follow the same naming pattern: “cdk-{Qualifier}-{Description}-{Account ID}-{Region}”. That means crooks can easily predict the name, as long as they know the AWS account ID and the region in which the CDK is deployed.
Thousands of copies
“Since the prefix is always cdk, the default qualifier is hnb659fds, and assets are a constant string in the bucket name, the only variables that change are the account ID and region,” explain cybersecurity researchers at Aqua, who coined the name for noticed first. lack.
This means that scammers can pre-claim someone else’s CDK staging bucket name, pre-load it with malware, and then wait for the victim to execute it.
To make matters worse, Aqua says there are “thousands” of instances where the default qualifier is used in the bootstrap process, making it super easy to claim another user’s CDK staging bucket name. In fact, the issue “could allow an attacker to gain administrative access to a target AWS account, resulting in a full account takeover,” the professionals explained.
Aqua reported the error to Amazon, which fixed it in early July this year, it said. The first clean CDK version is v2.149.0.
Via The registry
