AWS Deployment Framework Flaw: Upgrade Now or Face the Chaos

AWS Deployment Framework users: Upgrade to version 4.0+ to fix CVE-2024-37293 and mitigate privilege escalation risks. Temporary fix: add a permissions boundary in the management account. Thanks to Xidian University for the responsible disclosure.

1P
Published: June 11, 2024 5:29 pmAdded: June 11, 2024 at 10:36 amAssembled by: The Editor
Pro Dashboard

Hot Take:

Looks like AWS just revealed their Achilles’ heel in the form of a bootstrap process that’s more like a bootstrapped rollercoaster! If you’re not on version 4.0, it’s time to upgrade faster than your morning coffee kicks in. Thanks, Xidian University, for being the Gandalf to AWS’s Frodo in this cybersecurity saga.

Key Points:

  • CVE-2024-37293 impacts the AWS Deployment Framework (ADF) bootstrap process.
  • Two vulnerable versions: CodeBuild-driven and Lambda-driven bootstrap processes.
  • Potential for privilege escalation if actors alter CodeBuild projects or Lambda functions.
  • Issue addressed in ADF version 4.0 and above – upgrade ASAP!
  • Temporary mitigation: Apply a permissions boundary to deny IAM and STS actions.

Membership Required

 You must be a member to access this content.

View Membership Levels
Already a member? Log in here
The Nimble Nerd
powered by the NSA, er,  GDPR Cookie Compliance
Confessional Booth of Our Digital Sins

Okay, deep breath, let's get this over with. In the grand act of digital self-sabotage, we've littered this site with cookies. Yep, we did that. Why? So your highness can have a 'premium' experience or whatever. These traitorous cookies hide in your browser, eagerly waiting to welcome you back like a guilty dog that's just chewed your favorite shoe. And, if that's not enough, they also tattle on which parts of our sad little corner of the web you obsess over. Feels dirty, doesn't it?