Cybersecurity experts have revealed a novel form of name confusion attack, dubbed “whoAMI,” which enables an individual who publishes an Amazon Machine Image (AMI) with a specific name to execute code within an Amazon Web Services (AWS) account.
According to Seth Art, a researcher at Datadog Security Labs, “If this attack is carried out on a large scale, it could be used to gain access to thousands of accounts.” He noted that the vulnerable pattern can be found in numerous private and open-source code repositories, in a report shared with The Hacker News.
At its core, the attack is a subset of a supply chain attack that involves publishing a malicious resource and deceiving misconfigured software into using it instead of the legitimate counterpart.
The attack exploits the fact that anyone can publish an AMI, a virtual machine image used to boot up Elastic Compute Cloud (EC2) instances in AWS, to the community catalog. Developers may omit the “–owners” attribute when searching for an AMI via the ec2:DescribeImages API, making it possible for attackers to create a malicious AMI with a matching name.
To carry out the name confusion attack, the following conditions must be met when a victim retrieves the AMI ID through the API:
- Using the name filter,
- Failing to specify the owner, owner-alias, or owner-id parameters, and
- Retrieving the most recently created image from the list of matching images (“most_recent=true”).
This scenario allows an attacker to create a malicious AMI with a name that matches the search criteria, resulting in the creation of an EC2 instance using the attacker’s doppelgänger AMI, granting remote code execution (RCE) capabilities.
This, in turn, enables threat actors to initiate post-exploitation actions.
All an attacker needs is an AWS account to publish their backdoored AMI to the public Community AMI catalog and choose a name that matches the AMIs sought by their targets.
According to Art, “It is very similar to a dependency confusion attack, except that in the latter, the malicious resource is a software dependency, whereas in the whoAMI name confusion attack, the malicious resource is a virtual machine image.”
Datadog reported that approximately 1% of the organizations they monitored were affected by the whoAMI attack. They also found public examples of code written in Python, Go, Java, Terraform, Pulumi, and Bash shell using the vulnerable criteria.
Following responsible disclosure on September 16, 2024, Amazon addressed the issue three days later. When reached for comment, AWS told The Hacker News that they did not find any evidence of the technique being abused in the wild.
“All AWS services are operating as designed. Based on extensive log analysis and monitoring, our investigation confirmed that the technique described in this research has only been executed by the authorized researchers themselves, with no evidence of usage by any other parties,” the company stated.
“This technique could affect customers who retrieve Amazon Machine Image (AMI) IDs via the ec2:DescribeImages API without specifying the owner value. In December 2024, we introduced Allowed AMIs, a new account-wide setting that enables customers to limit the discovery and use of AMIs within their AWS accounts. We recommend customers evaluate and implement this new security control.”
As of last November, HashiCorp Terraform has started issuing warnings to users when “most_recent = true” is used without an owner filter in terraform-provider-aws version 5.77.0. The warning diagnostic is expected to be upgraded to an error effective version 6.0.0.
