Overprivileged CodeBuild default ECR IAM policy
Published Sat, Feb 25th, 2023
Platforms
Summary
For AWS CodeBuild, when using a custom container image stored in ECR and the project service role for the credentials to pull the image, the default IAM policy attached to the role to allow pulling the container was over-privileged and allowed the CodeBuild container to overwrite its own build image. An attacker with the ability to read the container credentials from the meta-data service or run commands within the container could thereby overwrite the container to gain persistence within the CodeBuild project.
Affected Services
AWS CodeBuild, AWS ECR
Remediation
For any CodeBuild projects created before July 26, 2022, which are using a custom container image, update those project’s IAM policies to match the updated policy. Please refer to the CodeBuild documentation for updating your project’s IAM policies. https://docs.aws.amazon.com/codebuild/latest/userguide/auth-and-access-control-iam-identity-based-access-control.html#ecr-policies
Tracked CVEs
No tracked CVEs
References
Contributed by https://github.com/willdeane
Entry Status
Finalized
Disclosure Date
Mon, Jul 4th, 2022
Exploitability Period
Until July 26, 2022
Known ITW Exploitation
-
Detection Methods
None
Piercing Index Rating
5.69
(PI:1.5/A3:1/A4:1/A5:1.05/A6:6/A7:1.1/A8:1.1)
Discovered by
Will Deane, ASX Consulting
