Cybersecurity researchers have disclosed a new type of name confusion attack called whoAMI that allows anyone who publishes an Amazon Machine Image (AMI) with a specific name to gain code execution within the Amazon Web Services (AWS) account.
“If executed at scale, this attack could be used to gain access to thousands of accounts,” Datadog Security Labs researcher Seth Art said in a report shared with The Hacker News. “The vulnerable pattern can be found in many private and open source code repositories.”
At its heart, the attack is a subset of a supply chain attack that involves publishing a malicious resource and tricking misconfigured software into using it instead of the legitimate counterpart.
The attack exploits the fact that anyone can AMI, which refers to a virtual machine image that’s used to boot up Elastic Compute Cloud (EC2) instances in AWS, to the community catalog and the fact that developers could omit to mention the “–owners” attribute when searching for one via the ec2:DescribeImages API.
Put differently, the name confusion attack requires the below three conditions to be met when a victim retrieves the AMI ID through the API –
- Use of the name filter,
- A failure to specify either the owner, owner-alias, or owner-id parameters,
- Fetching the most the recently created image from the returned list of matching images (“most_recent=true”)
This leads to a scenario where an attacker can create a malicious AMI with a name that matches the pattern specified in the search criteria, resulting in the creation of an EC2 instance using the threat actor’s doppelgänger AMI.
This, in turn, grants remote code execution (RCE) capabilities on the instance, allowing the threat actors to initiate various post-exploitation actions.
All an attacker needs is an AWS account to publish their backdoored AMI to the public Community AMI catalog and opt for a name that matches the AMIs sought by their targets.
“It is very similar to a dependency confusion attack, except that in the latter, the malicious resource is a software dependency (such as a pip package), whereas in the whoAMI name confusion attack, the malicious resource is a virtual machine image,” Art said.
Datadog said roughly 1% of organizations monitored by the company were affected by the whoAMI attack, and that it found public examples of code written in Python, Go, Java, Terraform, Pulumi, and Bash shell using the vulnerable criteria.
Following responsible disclosure on September 16, 2024, the issue was addressed by Amazon three days later. When reached for comment, AWS told The Hacker News that it did not find any evidence that the technique was abused in the wild.
“All AWS services are operating as designed. Based on extensive log analysis and monitoring, our investigation confirmed that the technique described in this research has only been executed by the authorized researchers themselves, with no evidence of usage by any other parties,” the company said.
“This technique could affect customers who retrieve Amazon Machine Image (AMI) IDs via the ec2:DescribeImages API without specifying the owner value. In December 2024, we introduced Allowed AMIs, a new account-wide setting that enables customers to limit the discovery and use of AMIs within their AWS accounts. We recommend customers evaluate and implement this new security control.”
As of last November, HashiCorp Terraform has started issuing warnings to users when “most_recent = true” is used without an owner filter in terraform-provider-aws version 5.77.0. The warning diagnostic is expected to be upgraded to an error effective version 6.0.0.
