Summary
For AWS CodeBuild, when using a custom container image stored in ECR and the
project service role for the credentials to pull the image, the default IAM
policy attached to the role to allow pulling the container was over-privileged
and allowed the CodeBuild container to overwrite its own build image.
An attacker with the ability to read the container credentials from the meta-data
service or run commands within the container could thereby overwrite the container to gain
persistence within the CodeBuild project.
Affected Services
AWS CodeBuild, AWS ECR
Remediation
For any CodeBuild projects created before July 26, 2022, which are using a custom container image,
update those project’s IAM policies to match the updated policy.
Please refer to the CodeBuild documentation for updating your project’s IAM policies.
https://docs.aws.amazon.com/codebuild/latest/userguide/auth-and-access-control-iam-identity-based-access-control.html#ecr-policies
Tracked CVEs
No tracked CVEs
References
Contributed by https://github.com/willdeane
Disclosure Date
Mon, Jul 4th, 2022
Exploitablity Period
Until July 26, 2022
Known ITW Exploitation
-
Detection Methods
-
Piercing Index Rating
5.69
(PI:1.5/A3:1/A4:1/A5:1.05/A6:6/A7:1.1/A8:1.1)
Discovered by
Will Deane, ASX Consulting
