{"id":1953,"date":"2025-02-13T10:03:35","date_gmt":"2025-02-13T10:03:35","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2025\/02\/13\/amazon-machine-image-name-confusion-attack-let-attackers-publish-resource\/"},"modified":"2025-02-13T10:03:35","modified_gmt":"2025-02-13T10:03:35","slug":"amazon-machine-image-name-confusion-attack-let-attackers-publish-resource","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2025\/02\/13\/amazon-machine-image-name-confusion-attack-let-attackers-publish-resource\/","title":{"rendered":"Amazon Machine Image Name Confusion Attack Let Attackers Publish Resource"},"content":{"rendered":"<p>    Amazon Machine Image Name Confusion Attack Let Attackers Publish Resource<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n    <!-- no image --><br \/>\n \t<BR><br \/>\n<BR><\/BR><\/p>\n<div>\n<p>Researchers uncovered a critical vulnerability in <a href=\"https:\/\/cybersecuritynews.com\/aws-patches-multiple-vulnerabilities\/\" target=\"_blank\" rel=\"noreferrer noopener\">Amazon Web Services (AWS)<\/a> involving Amazon Machine Images (AMIs).\u00a0<\/p>\n<p>Dubbed the \u201cwhoAMI\u201d attack, this exploit leverages a name confusion attack, a subset of supply chain attacks, to gain unauthorized code execution within AWS accounts.\u00a0<\/p>\n<p>The vulnerability arises from misconfigured software that retrieves AMIs without properly specifying trusted owners, potentially exposing thousands of AWS accounts to exploitation.<\/p>\n<p>The \u201cwhoAMI\u201d attack exploits a common pattern in retrieving AMI IDs via the ec2:DescribeImages API.\u00a0<\/p>\n<p>This API allows users to filter images based on attributes like name but can inadvertently include malicious AMIs if the owner\u2019s parameter is not explicitly defined.\u00a0<\/p>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter\"><img decoding=\"async\" src=\"https:\/\/lh7-rt.googleusercontent.com\/docsz\/AD_4nXcEF8G_XLY8GpV_FWDHJe7ADkVKVzx8oeHzKHQ_3kY6LZsSlBDRtmY4d5kHpZTXv5DrOgrPXpE-7MtKShBkoh_ycRbwpAtutGuVEicNpwG72JdPIEZj14r1mrmoeYKOHQnQVc7N?key=MBZjuayS75bUzFSyint87SBH\" alt=\"\"><figcaption class=\"wp-element-caption\">Attack flow of the whoAMI name confusion attack<\/figcaption><\/figure>\n<\/div>\n<p>For example, the following Terraform code snippet illustrates a vulnerable configuration:<\/p>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter\"><img decoding=\"async\" src=\"https:\/\/lh7-rt.googleusercontent.com\/docsz\/AD_4nXex89TdXO8IjC9WnjEAiUGaficyumRI6DcoswFAAD43AyWXBT2CpuyTxXW8GzGsVJJfOG5DnBkeHAo3yES0LJm3E54YIMat4ig8yQFypxwlCqqFDU4UbAPpqUABUrBCp1uUzcHzaQ?key=MBZjuayS75bUzFSyint87SBH\" alt=\"\"><figcaption class=\"wp-element-caption\">Vulnerability triggered<\/figcaption><\/figure>\n<\/div>\n<p>When executed, this code retrieves the most recently published AMI matching the filter criteria, regardless of its source, and reads the Datadog security labs <a href=\"https:\/\/securitylabs.datadoghq.com\/articles\/whoami-a-cloud-image-name-confusion-attack\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">report<\/a>.\u00a0<\/p>\n<p>An attacker can exploit this by publishing a malicious AMI with a crafted name (e.g., ubuntu\/images\/hvm-ssd\/ubuntu-focal-20.04-amd64-server-whoAMI) that appears more recent than legitimate images.<\/p>\n<p>If deployed at scale, this attack could compromise thousands of <a href=\"https:\/\/cybersecuritynews.com\/aws-cdk-vulnerabilities\/\" target=\"_blank\" rel=\"noreferrer noopener\">AWS accounts<\/a>. Datadog estimates that approximately 1% of organizations using AWS are vulnerable.<\/p>\n<p>Unexpectedly, internal non-production systems within AWS were also found susceptible to this attack during Datadog\u2019s research.\u00a0<\/p>\n<p>This vulnerability could have enabled attackers to execute arbitrary code within AWS\u2019s internal systems if exploited.<\/p>\n<figure class=\"wp-block-embed is-type-video is-provider-youtube wp-block-embed-youtube wp-embed-aspect-16-9 wp-has-aspect-ratio\">\n<div class=\"wp-block-embed__wrapper\">\n<iframe loading=\"lazy\" title=\"whoAMI exploitation demonstration\" width=\"696\" height=\"392\" src=\"https:\/\/www.youtube.com\/embed\/l-WEXFJd-Bo?feature=oembed\" frameborder=\"0\" allow=\"accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share\" referrerpolicy=\"strict-origin-when-cross-origin\" allowfullscreen><\/iframe>\n<\/div>\n<\/figure>\n<p>This vulnerability extends beyond Terraform and affects other tools and languages, including Python, Go, and Bash scripts using the AWS CLI.\u00a0<\/p>\n<h2 class=\"wp-block-heading\"><strong>AWS Response and Mitigation<\/strong><\/h2>\n<p>AWS promptly addressed the issue after it was disclosed by Datadog. AWS introduced Allowed AMIs, a defense-in-depth feature allowing users to create an allow list of trusted AMI providers by specifying account IDs or predefined keywords like amazon.\u00a0This feature ensures only verified AMIs are used in EC2 deployments.<\/p>\n<p>Datadog released an open-source tool called whoAMI-scanner to further assist organizations, which audits cloud environments for untrusted AMIs.\u00a0<\/p>\n<p>This tool helps identify and mitigate risks associated with deploying potentially malicious images. Hence, organizations are urged to adopt AWS\u2019s new features and follow best practices to protect their cloud infrastructure from similar vulnerabilities.<\/p>\n<p class=\"has-text-align-center has-background\" style=\"background:linear-gradient(180deg,rgb(238,238,238) 89%,rgb(169,184,195) 100%)\"><strong>PCI DSS 4.0 &amp; Supply Chain Attack Prevention \u2013\u00a0<a href=\"https:\/\/webinars.indusface.com\/reducing-3rd-party-risks-pci-dss-and-supply-chain-attack-prevention\/register?utm_source=gbhackers-side-banner&amp;utm_campaign=2025-feb-webinar-pci-dss&amp;utm_medium=referral\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Free Webinar<\/a><\/strong><\/p>\n<p>The post <a href=\"https:\/\/cybersecuritynews.com\/amazon-machine-image-name-confusion-attack\/\">Amazon Machine Image Name Confusion Attack Let Attackers Publish Resource<\/a> appeared first on <a href=\"https:\/\/cybersecuritynews.com\/\">Cyber Security News<\/a>.<\/p>\n<\/div>\n<p> \t<BR><br \/>\n <BR><\/BR><br \/>\n    Guru Baran<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n<a href=\"https:\/\/cybersecuritynews.com\/amazon-machine-image-name-confusion-attack\/\">Go to cyber-security-news<\/a><br \/>\n \t<BR><br \/>\n <BR><\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Amazon Machine Image Name Confusion Attack Let Attackers Publish Resource Researchers uncovered a critical vulnerability in Amazon Web Services (AWS) involving Amazon Machine Images (AMIs).\u00a0 Dubbed the \u201cwhoAMI\u201d attack, this exploit leverages a name confusion attack, a subset of supply chain attacks, to gain unauthorized code execution within AWS accounts.\u00a0 The vulnerability arises from misconfigured [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[129,63,648],"tags":[130],"class_list":["post-1953","post","type-post","status-publish","format-standard","hentry","category-cyber-security","category-cyber-security-news","category-vulnerability-news","tag-cyber-security-news"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/1953"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=1953"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/1953\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=1953"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=1953"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=1953"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}