Thousands of active AWS accounts are vulnerable to a cloud image name confusion attack that could allow attackers to execute codes within those accounts.
According to DataDog research, vulnerable patterns exist in the way multiple software projects retrieve Amazon Machine Image (AMIs) IDs to create Amazon elastic compute cloud (EC2) instances.
“The vulnerable pattern allows anyone that publishes an AMI with a specially crafted name to gain code execution within the vulnerable AWS account,” the researchers said in a blog post. “If executed at scale, this attack could be used to gain access to thousands of accounts.”
The whoAMI attack
Researchers have demonstrated that the attack vector “whoAMI” can impact many private and open-source code repositories. Over 10,000 AWS accounts are vulnerable to this attack, about 1% of the reported one million active AWS deployments.
The whoAMI attack is a name confusion exploit, a type of supply chain attack where misconfigured software is tricked into using a malicious resource. Unlike the dependency confusion attacks, which targets software dependency like pip packages, whoAMI involves a rogue virtual machine image impersonating a legitimate one.
Stay updated with SOC News for cutting-edge security innovations and expert industry insights!
