AWS fixes cloud development kit security flaw that could allow for complete account takeover

Trending 1 month ago
  1. Home
  2. Technology
  3. AWS fixes cloud development kit security flaw that could allow for complete account takeover
AWS Office
(Image credit: Tony Webster / Flickr)

Amazon Web Services (AWS) has fixed a information flaw successful its Cloud Development Kit (CDK) which could person allowed threat actors to afloat return complete people’s accounts.

The AWS Cloud Development Kit (CDK) is an open source package improvement model that allows developers to specify unreality infrastructure utilizing acquainted programming languages for illustration TypeScript, Python, and Java. It simplifies nan process of creating and managing AWS resources by converting codification into AWS CloudFormation templates, enabling infrastructure arsenic codification (IaC) practices.

In bid to deploy an app, users are first required to bootstrap nan environment, which includes creating basal components specified arsenic personality and entree guidance (IAM) ropes, permissions, policies, and an S3 staging bucket. The S3 staging buckets travel nan aforesaid naming pattern: "cdk-{Qualifier}-{Description}-{Account-ID}-{Region}". That means, crooks tin easy foretell nan name, arsenic agelong arsenic they cognize nan AWS Account-ID, and nan region successful which nan CDK is deployed.

Thousands of instances

“Since nan Prefix is ever cdk, nan Qualifier is by default hnb659fds, and assets is simply a changeless drawstring successful nan bucket name, nan only variables that alteration are nan Account ID and nan Region,” explained cybersecurity researchers from Aqua, who first spotted nan flaw.

This intends crooks could declare personification else’s CDK staging bucket sanction successful advance, preload it pinch malware, and past conscionable hold for nan unfortunate to tally it.

To make matters worse, Aqua says location are “thousands” of instances pinch nan default qualifier being utilized successful nan bootstrap process, making it ace easy to declare different user’s CDK staging bucket name. In fact, nan problem could "allow an attacker to summation administrative entree to a target AWS account, resulting successful a afloat relationship takeover," nan pros explained.

Aqua reported nan flaw to Amazon, who patched it successful early July this year, it was said. The first cleanable CDK type is v2.149.0.

Sign up to nan TechRadar Pro newsletter to get each nan apical news, opinion, features and guidance your business needs to succeed!

Via The Register

More from TechRadar Pro

  • AWS has patched a alternatively embarrassing Kubernetes bug
  • Here's a database of nan best firewalls today
  • These are nan best endpoint protection tools correct now

Sead is simply a seasoned freelance journalist based successful Sarajevo, Bosnia and Herzegovina. He writes astir IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, information breaches, laws and regulations). In his career, spanning much than a decade, he’s written for galore media outlets, including Al Jazeera Balkans. He’s besides held respective modules connected contented penning for Represent Communications.

More
Source Technology
Technology

Related Article

Viltrox is changing the game for camera lenses, with its latest premium prime matching Sony’s best for half the price

Viltrox is changing the game for camera lenses, with its latest premium prime matching Sony’s best for half the price

2 weeks ago
Professionals are facing "tech overload" as they try to juggle multiple devices in the workplace

Professionals are facing "tech overload" as they try to juggle multiple devices in the workplace

2 weeks ago
The Galaxy S25 Ultra's rumored iPhone-beating power could tempt me back to Android

The Galaxy S25 Ultra's rumored iPhone-beating power could tempt me back to Android

2 weeks ago

Popular Article

Soundcore’s newest clip-style earbuds focus on comfort

Soundcore’s newest clip-style earbuds focus on comfort

1 month ago
Better than Black Friday: shop record-low prices on Samsung TVs at Best Buy

Better than Black Friday: shop record-low prices on Samsung TVs at Best Buy

1 month ago
The iPhone SE might serve an unexpected surprise next year

The iPhone SE might serve an unexpected surprise next year

1 month ago
AirPods Pro 2's hearing health features will arrive as a software update starting next week

AirPods Pro 2's hearing health features will arrive as a software update starting next week

1 month ago
The best budget laptops for 2024

The best budget laptops for 2024

1 month ago
English (US) English (US) · Indonesian (ID) Indonesian (ID) ·
About Us · Contact Us · Terms & Conditions ·

©2024 Latest Tech News.
All Rights Reserved.