low

Codebuild data exfiltration

Published Thu, Feb 3rd, 2022

Platforms

Summary

When customers attach a CodeBuild project to their VPC, CodeBuild’s build container will apply the same network routing rules as defined in the customer’s VPC Security Group. However, CodeBuild EC2 hosts retained Internet connectivity via AWS's own VPC, thus allowing an attacker to bypass any custom VPC rules the customer had set up, and use CodeBuild for data exfiltration from the targeted environment. AWS later updated the CodeBuild service to block all outbound network access for newly created CodeBuild projects which contain a customer-defined VPC configuration.

Affected Services

N/A

Remediation

None required

Tracked CVEs

No tracked CVEs

References

https://awsteele.com/blog/2022/02/03/aws-vpc-data-exfiltration-using-codebuild.html

Contributed by https://github.com/ramimac

Entry Status

Finalized

Disclosure Date

Thu, Feb 3rd, 2022

Exploitability Period

Known ITW Exploitation

Detection Methods

None

Piercing Index Rating

Discovered by

Aidan Steele

More vulnerabilities...

critical

SuperGlue

Compromise of internal AWS Glue service to assume the glue role in any AWS account that used glue.

Yanir Tsarimi, Orca SecurityJan 13, 2022

critical

BreakingFormation

Read access of host of AWS internal Cloudformation service via XXE SSRF. The level of access with the compromised IAM role from there is unclear.

Tzah Pahima, Orca SecurityJan 13, 2022

AWS AI services ToS allow sharing of customer data

Use of the AI services on AWS allows customer data to be moved outside of the regions it is used in and potentially shared with third-parties. Note: This issue is outside the scope of this database...

Ben BridtsJan 6, 2022

View all