AWS plugs holes in ECR APIs

AWS has patched a vulnerability in its Elastic Container Registry (ECR) that was uncovered by Lightspin researcher Gafnit Amiga during an examination of AWS’s ECR APIs.

The vulnerability “allowed external actors to delete, update, and create ECR Public images, layers, and tags in registries and repositories that belong to other AWS Accounts, by abusing undocumented internal ECR Public API actions”.

An attacker would be able to plant malware in such projects, and ECR would present them as legitimate, enabling software supply chain attacks.

Elastic Container Registry’s Public Gallery hosts popular projects such as NGINX, Ubuntu Linux, Amazon Linux, and HashiCorp’s Consul.

Amiga discovered seven publicly undocumented API actions, and from those worked out how to abuse the APIs.

“An adversary could do what I did and either remove or push new images which would appear as verified Registries belonging to Amazon, Canonical, and other popular companies, and providers,” she wrote.

She said that the extent of the risk is hard to estimate: “Just the top six most popular (by downloads) images on the ECR Public Gallery combine for around 13 billion downloads and there are several thousands more images stored on ECR Public.

“An analysis of Lightspin customers shows that 26 percent of all Kubernetes clusters have at least one Pod that pulls an image from public.ecr.aws.”

The vulnerability was patched during November.

In its advisory, AWS said: “We have conducted exhaustive analysis of all logs, we are confident our review was conclusive, and that the only activity associated with this issue was between accounts owned by the researcher.

"No other customers’ accounts were affected, and no customer action is required.”