CodeBreach: Infiltrating the AWS Console Supply Chain and Hijacking AWS GitHub Repositories via Code
Summary:
Wiz Research recently disclosed a critical supply chain vulnerability, dubbed "CodeBreach," which stemmed from a subtle misconfiguration in AWS CodeBuild CI/CD pipelines. The flaw involved an unanchored Regular Expression (Regex) used in a webhook filter meant to restrict build triggers to trusted GitHub users. Specifically, the ACTOR_ID filter lacked start (^) and end ($) anchors, allowing any GitHub user whose unique ID contained a trusted ID as a substring to trigger a build. By automating the creation of GitHub App bot accounts to "race" for specific sequential IDs, researchers successfully bypassed these filters. Once inside the build environment, they performed a memory dump to extract GitHub Personal Access Tokens (PATs) with administrative privileges. This exploit granted full control over high-profile repositories, including the AWS JavaScript SDK, which powers the AWS Console and is used in approximately 66% of cloud environments.
Security Officer Comments:
This research underscores an evolving reality in the threat landscape: adversaries are increasingly bypassing the need for complex software zero-days by instead exploiting "logic gaps" in the infrastructure that builds that software. For those consuming AWS services, this vulnerability created a "watering hole" scenario where the primary tools used to manage cloud infrastructure, including the AWS Console and core SDKs, could have been weaponized against them. For employees at organizations who are software developers or service providers, this incident serves as a stark reminder of the fragility of CI/CD security. The "CodeBreach" technique proves that even a two-character oversight in a configuration file can facilitate a total organizational takeover. Given that GitHub IDs are sequential and predictable, this "ID Eclipse" method is a repeatable tactic that may be deployed against any organization currently relying on unanchored Regex for CI/CD gating.
Suggested Corrections:
While no immediate action is required by downstream consumers of the affected AWS GitHub repositories, we strongly recommend that all AWS CodeBuild users implement the following safeguards to protect their own projects against similar issues.
https://www.wiz.io/blog/wiz-research-codebreach-vulnerability-aws-codebuild
Wiz Research recently disclosed a critical supply chain vulnerability, dubbed "CodeBreach," which stemmed from a subtle misconfiguration in AWS CodeBuild CI/CD pipelines. The flaw involved an unanchored Regular Expression (Regex) used in a webhook filter meant to restrict build triggers to trusted GitHub users. Specifically, the ACTOR_ID filter lacked start (^) and end ($) anchors, allowing any GitHub user whose unique ID contained a trusted ID as a substring to trigger a build. By automating the creation of GitHub App bot accounts to "race" for specific sequential IDs, researchers successfully bypassed these filters. Once inside the build environment, they performed a memory dump to extract GitHub Personal Access Tokens (PATs) with administrative privileges. This exploit granted full control over high-profile repositories, including the AWS JavaScript SDK, which powers the AWS Console and is used in approximately 66% of cloud environments.
Security Officer Comments:
This research underscores an evolving reality in the threat landscape: adversaries are increasingly bypassing the need for complex software zero-days by instead exploiting "logic gaps" in the infrastructure that builds that software. For those consuming AWS services, this vulnerability created a "watering hole" scenario where the primary tools used to manage cloud infrastructure, including the AWS Console and core SDKs, could have been weaponized against them. For employees at organizations who are software developers or service providers, this incident serves as a stark reminder of the fragility of CI/CD security. The "CodeBreach" technique proves that even a two-character oversight in a configuration file can facilitate a total organizational takeover. Given that GitHub IDs are sequential and predictable, this "ID Eclipse" method is a repeatable tactic that may be deployed against any organization currently relying on unanchored Regex for CI/CD gating.
Suggested Corrections:
While no immediate action is required by downstream consumers of the affected AWS GitHub repositories, we strongly recommend that all AWS CodeBuild users implement the following safeguards to protect their own projects against similar issues.
- Prevent Untrusted Pull Requests from Triggering Privileged Builds:
- Enable the new Pull Request Comment Approval build gate.
- Alternatively, use CodeBuild-hosted runners to manage build triggers via GitHub workflows.
- If you must rely on webhook filters, ensure their regex patterns are anchored.
- Secure the CodeBuild-GitHub Connection
- Generate a unique, fine-grained Personal Access Token (PAT) for each CodeBuild project.
- Strictly limit the PAT's permissions to the minimum required, as listed here.
- Consider using a dedicated unprivileged GitHub account for the CodeBuild integration.
https://www.wiz.io/blog/wiz-research-codebreach-vulnerability-aws-codebuild