An AWS misconfiguration in its code building service could have led to a massive number of compromised key AWS GitHub code repositories and applications, say researchers at Wiz who discovered the problem.

The vulnerability stemmed from a subtle flaw in how the repositories’ AWS CodeBuild CI (continuous integration) pipelines handled build triggers. “Just two missing characters in a regex filter allowed unauthenticated attackers to infiltrate the build environment and leak privileged credentials,” the researchers said in a Thursday blog.  

The regex (regular expression) filter at the center of the issue is an automated pattern-matching rule that scans log output for secrets and hides them to prevent leakage.

The issue allowed a complete takeover of key AWS GitHub repositories, particularly the AWS JavaScript SDK, a core library that powers the AWS Console.

“This shows the power and risk of supply chain vulnerabilities,” Yuval Avrahami, co-author of the report about the bug, told CSO, “which is exactly why supply chain attacks are on the rise: one small flaw can lead to an insanely impactful attack.”

After being warned of the vulnerability last August, AWS quickly plugged the hole and implemented global hardening within the CodeBuild service to prevent the possibility of similar attacks. Details of the problem are only being revealed now by Wiz and AWS.

AWS told CSO that it “found that there was no impact on the confidentiality or integrity of any customer environment or AWS service.” It also advised developers to follow best practices in using AWS CodeBuild.

But the Wiz researchers warned developers using the product to take steps to protect their projects from similar issues.

Discovery

Wiz discovered the problem last August after an attempted supply chain attack on the Amazon Q VS Code extension. An attacker exploited a misconfigured CodeBuild project to compromise the extension’s GitHub repository and inject malicious code into the main branch. This code was then included in a release which users downloaded. Although the attacker’s payload ultimately failed due to a typo, it did execute on end users’ machines – clearly demonstrating the risk of misconfigured CodeBuild pipelines. 

Wiz researchers investigated and found the core of the flaw, a threat actor ID bypass due to unanchored regexes, and notified AWS. Within 48 hours, that hole was plugged, AWS said in a statement accompanying the Wiz blog.

It also performed additional hardening, including adding further protections to all build processes that contain Github tokens or any other credentials in memory. AWS said it also audited all other public build environments to ensure that no such issues exist across the AWS open source estate.

In addition, it examined the logs of all public build repositories, as well as associated CloudTrail logs, “and determined that no other actor had taken advantage of the unanchored regex issue demonstrated by the Wiz research team. AWS determined there was no impact of the identified issue on the confidentiality or integrity of any customer environment or any AWS service.” 

Kellman Meghu, chief technology officer at Deepcove Cybersecurity, a Canadian-based risk management firm, said it wouldn’t be a huge issue for developers who don’t publicly expose CodeBuild. “But,” he added, “if people are not diligent, I see how it could be used. It’s slick.” 

Developers shouldn’t expose build environments

CSOs should ensure developers don’t expose build environments, Meghu said. “Using public hosted services like GitHub is not appropriate for enterprise code management and deployment,” he added. “Having a private GitLab/GitHub, service, or even your own git repository server, should be the default for business, making this attack impossible if [the threat actors] can’t see the repository to begin with. The business should be the one that owns the repository; [it should] not be something you just let your developers set up as needed.” In fact, he said, IT or infosec leaders should set up the code repositories. Developers “should be users of the system, not the ultimate owners.” 

Wiz strongly recommends that all AWS CodeBuild users implement the following safeguards to protect their own projects against possible compromise.”

• Prevent untrusted Pull Requests from triggering privileged builds by:
  • enabling the new Pull Request Comment Approval build gate;
  • alternatively, using CodeBuild-hosted runners to manage build triggers via GitHub workflows;
  • if you must rely on webhook filters, ensure their regex patterns are anchored.

• Secure the CodeBuild-GitHub connection by:
  • generating a unique, fine-grained Personal Access Token (PAT) for each CodeBuild project;
  • strictly limiting the PAT’s permissions to the minimum required.
  • considering using a dedicated unprivileged GitHub account for the CodeBuild integration.