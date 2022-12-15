AWS plugs holes in ECR APIs

By on
AWS plugs holes in ECR APIs

After researcher reports supply chain attack risks.

AWS has patched a vulnerability in its Elastic Container Registry (ECR) that was uncovered by Lightspin researcher Gafnit Amiga during an examination of AWS’s ECR APIs.

The vulnerability “allowed external actors to delete, update, and create ECR Public images, layers, and tags in registries and repositories that belong to other AWS Accounts, by abusing undocumented internal ECR Public API actions”.

An attacker would be able to plant malware in such projects, and ECR would present them as legitimate, enabling software supply chain attacks.

Elastic Container Registry’s Public Gallery hosts popular projects such as NGINX, Ubuntu Linux, Amazon Linux, and HashiCorp’s Consul.

Amiga discovered seven publicly undocumented API actions, and from those worked out how to abuse the APIs.

“An adversary could do what I did and either remove or push new images which would appear as verified Registries belonging to Amazon, Canonical, and other popular companies, and providers,” she wrote.

She said that the extent of the risk is hard to estimate: “Just the top six most popular (by downloads) images on the ECR Public Gallery combine for around 13 billion downloads and there are several thousands more images stored on ECR Public.

“An analysis of Lightspin customers shows that 26 percent of all Kubernetes clusters have at least one Pod that pulls an image from public.ecr.aws.”

The vulnerability was patched during November.

In its advisory, AWS said: “We have conducted exhaustive analysis of all logs, we are confident our review was conclusive, and that the only activity associated with this issue was between accounts owned by the researcher.

"No other customers’ accounts were affected, and no customer action is required.”

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:
awscloudecrlightspinsecuritysupply chain attack

Sponsored Whitepapers

Using Cloud-Based, AI-Driven Management to Improve Network Operations
Using Cloud-Based, AI-Driven Management to Improve Network Operations
The Business Value of AIOps-Driven Network Management
The Business Value of AIOps-Driven Network Management
The AI-Driven Campus: Using artificial intelligence for the campus networks of the next decade
The AI-Driven Campus: Using artificial intelligence for the campus networks of the next decade
Bringing AI To Enterprise Networking: The Journey to better experiences with AIOps
Bringing AI To Enterprise Networking: The Journey to better experiences with AIOps
Adjusting to a New Era in Ransomware Risk
Adjusting to a New Era in Ransomware Risk

Events

Most Read Articles

AFP arrests four over crypto, investment scams

AFP arrests four over crypto, investment scams
Gov sets target to make Australia "most cyber secure country" by 2030

Gov sets target to make Australia "most cyber secure country" by 2030
Telstra blames privacy breach on 'database misalignment'

Telstra blames privacy breach on 'database misalignment'
CLOUD Act treaty should be ratified, says committee

CLOUD Act treaty should be ratified, says committee

Digital Nation

Case study: How La Trobe University sets its data students up for success
Case study: How La Trobe University sets its data students up for success
Case Study: How HCF reengaged its customers through data and analytics
Case Study: How HCF reengaged its customers through data and analytics
Case study: Transurban uses automation to detect road incidents
Case study: Transurban uses automation to detect road incidents
Meta threatens to take news off its platform in the US. Yep, we're here again
Meta threatens to take news off its platform in the US. Yep, we're here again
Cover Story: The business of gaming will reshape marketing, technology
Cover Story: The business of gaming will reshape marketing, technology

Log In

  |  Forgot your password?