Amazon EC2 instances under fire from whoAMI attacks potentially giving hackers code execution access
- A flaw named WhoAMI was found in Amazon Machine Image
- It allows threat actors to gain RCE abilities on people’s AWS accounts
- A fix has been released, but many users are still yet to update
Amazon Web Services (AWS) users are potentially vulnerable to a name confusion attack called “whoAMI”, experts have warned.
The vulnerability, found in Amazon Machine Image (AMI), was discovered in the summer of 2024 by cybersecurity researchers DataDog, and has now been confirmed by Amazon, which said it fixed the issue on its side, and urged users to update the code on their side and thus protect their premises.
AMI is a pre-configured template used to create and launch virtual servers (EC2 instances) in AWS. It includes an operating system, application software, and necessary configurations like storage and permissions. AMIs allow users to quickly deploy consistent environments, whether using AWS-provided images, community AMIs, or custom-built ones. This makes scaling and managing cloud infrastructure more efficient.
Following the naming pattern
AMIs can be public, or private, and once generated, come with a unique identifier. Public ones can even be found in the AWS catalog. But these public ones should also come with the ‘owners’ attribute, as a way to confirm that they’re coming from a trusted source.
Now, the researchers found that the way software projects retrieve AMI IDs was flawed, and allowed threat actors to gain remote code execution (RCE) capabilities within people’s AWS accounts.
The technical details on how the vulnerability works and how it might be exploited can be found on this link. Long story short, if a threat actor publishes an AMI with a name that follows the format used by trusted owners, it can be picked up by mistake.
When DataDog first discovered the flaw, it said that overall, a very small percentage of AWS users are vulnerable, but that still equals “thousands” of AWS accounts. Amazon responded by issuing a fix in mid-September last year, and releasing a new security control called “Allowed AMIs” in early December last year.
It also advised all users to apply the fixes, while stressing that there was no evidence of abuse in the wild.
Via BleepingComputer
You might also like
A flaw named WhoAMI was found in Amazon Machine Image It allows threat actors to gain RCE abilities on people’s AWS accounts A fix has been released, but many users are still yet to update Amazon Web Services (AWS) users are potentially vulnerable to a name confusion attack called “whoAMI”,…
