TL;DR
Wiz researchers discovered a critical misconfiguration in AWS CodeBuild webhook filters that could let untrusted GitHub users trigger builds and seize repository control. AWS patched the flaw after an August disclosure and says audits found no evidence of customer impact.
What happened
Wiz security researchers identified a supply-chain vulnerability they call CodeBreach in AWS CodeBuild, the managed CI service that links to GitHub. The problem stemmed from unanchored regular expressions used in the ACTOR_ID webhook filter: without start (^) and end ($) anchors, a regex could match a user ID that merely contained an allowed ID, letting an attacker bypass the allow-list. The researchers automated creation of many GitHub Apps until one produced a bot user whose ID was a superstring of a maintainer’s ID. They submitted a pull request containing a seemingly ordinary change that hid a malicious NPM dependency to extract build credentials. Using the harvested GitHub credentials they escalated privileges and created repository administrators, gaining the ability to push code to main branches and exfiltrate secrets. Wiz disclosed the findings to AWS in August; AWS implemented fixes in September and reported no impact to customer environments.
Why it matters
- A compromised build pipeline can inject malicious code into widely used libraries, enabling large-scale downstream infections.
- Wiz warns the vulnerable JavaScript SDK is present in a large share of cloud environments, increasing potential blast radius.
- Attackers with repo admin access can modify releases and approve pull requests, undermining software supply-chain trust.
- The issue highlights a broader CI/CD blind spot that can affect many providers and tooling, not just AWS.
Key facts
- Vulnerability name: CodeBreach (as designated by Wiz researchers).
- Affected service: AWS CodeBuild webhook filter logic, specifically the ACTOR_ID filter.
- Root cause: regex patterns lacked ^ and $ anchors, allowing superstring GitHub IDs to match.
- Researchers targeted four public CodeBuild-connected repos: aws/aws-sdk-js-v3, aws/aws-lc, corretto/amazon-corretto-crypto-provider, and awslabs/open-data-registry.
- Wiz automated about 200 GitHub App creation attempts to obtain a bot user ID that bypassed the filter.
- Using a crafted pull request with a hidden NPM dependency, researchers obtained GitHub credentials for the aws-sdk-js-v3 project and escalated to admin rights.
- Wiz reported the issue to AWS in August; AWS says it fixed the configuration in September and added further mitigations.
- AWS stated it audited public build environments and CloudTrail logs and found no evidence that other actors exploited the unanchored regex issue.
- Wiz cautioned the weakness is a CI/CD supply-chain pattern that can affect other CI platforms and cloud providers.
What to watch next
- AWS will publish a formal security bulletin about the findings and remediation steps (AWS said one is forthcoming).
- Whether independent researchers or vendors find similar unanchored-regex or webhook misconfigurations in other CI/CD systems.
- Confirmation from third parties or additional audits about whether any exploit occurred outside the scope of AWS's reported logs is not confirmed in the source.
Quick glossary
- CI/CD: Continuous Integration and Continuous Delivery: automated processes for building, testing, and deploying software changes.
- Webhook: An HTTP callback used by services like GitHub to notify external systems about events such as pull requests or commits.
- Regex anchor: Symbols like ^ and $ used in regular expressions to ensure matches start at the beginning and end at the end of a string.
- Supply-chain attack: A compromise that targets software dependencies, build processes, or repositories to inject malicious code into widely used software.
- GitHub App: An integration that can act on behalf of a user or organization and interact with repositories via its own bot user and credentials.
Reader FAQ
Did this vulnerability allow attackers to control AWS environments?
Wiz researchers demonstrated a path to repo takeover that could lead to broad impact; AWS says its investigation found no effect on customer confidentiality or integrity.
Which AWS projects were shown to be affected in the research?
Wiz reported four public projects that used the vulnerable filter, including aws-sdk-js-v3 and aws/aws-lc.
When did AWS patch the issue?
Wiz disclosed to AWS in August and AWS applied fixes in September.
Is this problem unique to AWS CodeBuild?
Wiz told researchers the underlying CI/CD pattern is not unique to AWS and can exist across other CI tools and cloud providers.
RESEARCH A simple CodeBuild flaw put every AWS environment at risk – and pwned 'the central nervous system of the cloud' And it's 'not unique to AWS,' researcher tells The…
Sources
- A simple CodeBuild flaw put every AWS environment at risk – and pwned 'the central nervous system of the cloud'
- Lessons from AWS CodeBuild's Memory-Dump Incident …
- Exploiting OIDC and Webhook Flaws in AWS CodeBuild
- AWS Misconfigurations
Related posts
- January security update breaks Windows App logins for Azure Virtual Desktop users
- Woman bailed as police probe alleged data theft at Walsall GP surgery
- As Wikipedia Marks 25 Years, Multiple Threats Cloud Its Future