AWS plugs holes in ECR APIs – Security – Cloud

AWS has patched a vulnerability in its Elastic Container Registry (ECR) that was discovered by Lightspin researcher Gafnit Amiga while investigating AWS’s ECR APIs.

The vulnerability “allowed external actors to delete, update, and create ECR Public images, layers, and tags in registries and repositories belonging to other AWS accounts by abusing undocumented internal ECR Public API actions” .

An attacker could inject malware into such projects and ECR would present them as legitimate, enabling attacks on the software supply chain.

The Elastic Container Registry Public Gallery hosts popular projects like NGINX, Ubuntu Linux, Amazon Linux, and Consul by HashiCorp.

Amiga has discovered seven publicly undocumented API actions and worked out how the APIs can be abused.

“An adversary could do what I did and either remove or move new images that would appear as verified registrations from Amazon, Canonical, and other well-known companies and vendors,” she wrote.

She said the extent of the risk was difficult to assess: “The six most popular (by downloads) images in the ECR Public Gallery alone have a combined total of around 13 billion downloads and there are several thousand more images stored on ECR Public.

“An analysis of Lightspin customers shows that 26 percent of all Kubernetes clusters have at least one pod that pulls an image from”

The vulnerability was patched in November.

In its recommendation, AWS said, “We performed a comprehensive analysis of all logs, we are confident that our review was conclusive and that the only activity related to this issue occurred between accounts owned by the researcher.

“Other customers’ accounts were not affected and no customer action is required.” AWS plugs holes in ECR APIs – Security – Cloud

Callan Tansill

InternetCloning is an automatic aggregator of the all world’s media. In each content, the hyperlink to the primary source is specified. All trademarks belong to their rightful owners, all materials to their authors. If you are the owner of the content and do not want us to publish your materials, please contact us by email – The content will be deleted within 24 hours.

Related Articles

Back to top button