Wiz: Misconfigured AWS System Could Have Enabled Largest-Ever Supply Chain Attack

The CodeBuild CI/CD misconfiguration—which was discovered by Wiz researchers and quickly remediated by AWS—could have put a vast number of AWS customer environments at risk and should serve as an ‘alarm bell’ for the cybersecurity industry, Wiz CTO Ami Luttwak tells CRN.

A misconfigured AWS system that was remediated in August—averting a potentially massive and unprecedented software supply chain compromise—should serve as a warning to the cybersecurity industry about under-recognized risks within the modern software development process, according to researchers at Wiz, which discovered the issue.

The CodeBuild CI/CD misconfiguration was quickly remediated by AWS following its discovery by researchers at cloud and AI security vendor Wiz, and no customer accounts were impacted, according to the companies. However, the issue—which could have put a vast number of AWS customer environments at risk if a threat actor had found it first—should serve as an “alarm bell” for the cybersecurity industry, Wiz co-founder and CTO Ami Luttwak told CRN.

“The fact that the CI/CD system, with a misconfiguration, might allow you to get admin access to internet repositories—it completely breaks the entire security barrier that we've thought about [to date],” Luttwak said.

In other words, “the potential impact could have been something we've never seen,” he said. “We've never seen an attack at that scale on supply chain.”

The issue—dubbed “CodeBreach” by the Wiz research team—differs from prior software supply chain incidents that involved tampering with code in a third-party application, such as the widely felt SolarWinds and Codecov compromises.

The difference in this case, according to Wiz, is that researchers demonstrated they could compromise the software build system itself, which could have led to a far wider impact due to the ubiquity of cloud systems.

The misconfiguration had the potential to impact the AWS Console, which is the web-based control panel for management of services on the cloud platform—meaning that untold numbers of AWS accounts could have been put at risk, according to Wiz.

Ultimately, this is a new breed of attack because it “cuts through all of the existing security controls that companies have,” Luttwak said. “I believe that we will see more and more [of these] types of attacks and bigger-impact attacks.”

Potential For ‘Platform-Wide Compromise’

As a result of the CodeBuild CI/CD misconfiguration, Wiz researchers found that a “complete takeover of key AWS GitHub repositories” was possible, the company said in a blog post.

Crucially, Wiz researchers found that they could compromise the AWS JavaScript SDK, which is a core library used for powering the AWS Console.

An exploit of the weakness could have allowed a threat actor to inject malicious code, potentially leading to “a platform-wide compromise,” the post said.

Put another way, an attacker who exploited the issue to impact the AWS Console could have had their malicious code “running on the website of every AWS account,” said Yuval Avrahami, the Wiz vulnerability researcher who initially discovered the issue.

Rapid Mitigation

Following the disclosure of the CodeBuild issue to AWS by Wiz in late August, AWS mitigated the core issue within 48 hours, according to the companies.

In addition, “AWS immediately investigated Wiz’s research and found that there was no impact on the confidentiality or integrity of any customer environment or AWS service,” AWS said in a statement provided to CRN. “To mitigate any potential future threats related to the findings, we implemented additional remediations.”

AWS was “very responsive” and moved rapidly to address the issue after it was disclosed, according to Nir Ohfeld, head of vulnerability research at Wiz.

The fact that AWS closed the issue within 48 hours was “really impressive for an organization of this size,” Ohfeld said.

Wiz, which expects to finalize its $32 billion acquisition by Google this year, has a track record of discovering critical public cloud vulnerabilities such as the “ChaosDB” cross-tenant vulnerability and the widely exploited “OMIGOD” flaw, both of which impacted Microsoft Azure.

Increased Awareness

Looking ahead, Wiz researchers said they hope the “CodeBreach” incident will spark broader awareness about the need for protecting against risks to CI/CD pipelines, source code repositories and software build systems.

Those are areas where, currently, “we don't have enough controls and barriers and boundaries,” Luttwak said.

In the security industry, “usually we start from the exposure in the production environment,” he said. “Now, as we understand this attack surface, we believe that the industry needs to start looking also at exposure on CI/CD systems, on GitHub, on developer machines, on third-party software. These are new types of attack surfaces that we need to focus on.”