Critical Flaw Reported in AWS CodeBuild

Wiz researchers discovered a flaw named "CodeBreach" in the AWS Console's supply chain. 

This flaw (no CVE code) allowed attackers to take over core AWS GitHub repositories, including the AWS JavaScript SDK. This library powers the AWS Console and runs in roughly 66% of cloud environments. Attackers could have injected malicious code into the SDK to steal credentials or control cloud infrastructure globally.

The vulnerability is caused by how AWS CodeBuild CI pipelines handled build triggers. The system used a Regex filter to verify the GitHub user ID of the person starting a build. However, the filter lacked start (^) and end ($) anchors. This unanchored regex allowed any user with an ID containing a trusted ID as a substring to trigger a privileged build. Researchers exploited this by creating bot accounts until they generated an ID that matched the required pattern.

Once the filter was bypassed, the researchers ran a malicious payload within the build environment. They dumped the system memory to steal a GitHub Personal Access Token (PAT). This token belonged to an automation account with full admin rights over the repository. With this access, an attacker could push code directly to the main branch or change repository settings without further checks.

The potential impact was significant because the AWS Console uses recent versions of the affected SDK. A compromised SDK would allow attackers to exfiltrate sensitive data from millions of applications. This incident follows similar patterns seen in the Amazon Q and Nx S1ngularity attacks, where CI/CD flaws led to repository takeovers.

AWS patched the issue by anchoring the regex filters and revoking the compromised tokens. They also introduced a "Pull Request Comment Approval" build gate to prevent untrusted code from running. Organizations should audit their CodeBuild projects and ensure they use fine-grained tokens with minimal permissions.