1. Forum
  2. tqw
  3. TQW GENTECH

  • AWS fixes cloud development kit security flaw that could allow fo

    From TechnologyDaily@1337:1/100 to All on Friday, October 25, 2024 11:30:05
    AWS fixes cloud development kit security flaw that could allow for complete account takeover

    Date:
    Fri, 25 Oct 2024 10:25:50 +0000

    Description:
    A predictable naming pattern in the bootstrap process could have been abused to give crooks keys to the kingdom.

    FULL STORY ======================================================================

    Amazon Web Services ( AWS ) has fixed a security flaw in its Cloud
    Development Kit (CDK) which could have allowed threat actors to fully take over peoples accounts.

    The AWS Cloud Development Kit (CDK) is an open source software development framework that allows developers to define cloud infrastructure using
    familiar programming languages like TypeScript, Python, and Java. It simplifies the process of creating and managing AWS resources by converting code into AWS CloudFormation templates, enabling infrastructure as code (IaC) practices.

    In order to deploy an app, users are first required to bootstrap the environment, which includes creating necessary components such as identity
    and access management (IAM) ropes, permissions, policies, and an S3 staging bucket. The S3 staging buckets follow the same naming pattern: "cdk-{Qualifier}-{Description}-{Account-ID}-{Region}". That means, crooks can easily predict the name, as long as they know the AWS Account-ID, and the region in which the CDK is deployed. Thousands of instances

    Since the Prefix is always cdk, the Qualifier is by default hnb659fds, and assets is a constant string in the bucket name, the only variables that
    change are the Account ID and the Region, explained cybersecurity researchers from Aqua, who first spotted the flaw.

    This means crooks could claim someone elses CDK staging bucket name in advance, preload it with malware, and then just wait for the victim to run
    it.

    To make matters worse, Aqua says there are thousands of instances with the default qualifier being used in the bootstrap process, making it super easy
    to claim another users CDK staging bucket name. In fact, the problem could "allow an attacker to gain administrative access to a target AWS account, resulting in a full account takeover," the pros explained.

    Aqua reported the flaw to Amazon, who patched it in early July this year, it was said. The first clean CDK version is v2.149.0.

    Via The Register More from TechRadar Pro AWS has patched a rather embarrassing Kubernetes bug Here's a list of the best firewalls today These are the best endpoint protection tools right now



    ======================================================================
    Link to news story: https://www.techradar.com/pro/security/aws-fixes-cloud-development-kit-securit y-flaw-that-could-allow-for-complete-account-takeover


    --- Mystic BBS v1.12 A47 (Linux/64)
    * Origin: tqwNet Technology News (1337:1/100)