A serious vulnerability has been uncovered in the Amazon Elastic Container Registry (ECR) Public Gallery, which could have been leveraged for various attacks, as reported by the cybersecurity firm Lightspin. The flaw poses critical risks, enabling malicious actors to delete images stored in the gallery or replace them with versions containing harmful code, according to Gafnit Amiga, director of security research at Lightspin.
This vulnerability presents an opportunity for cybercriminals to execute malicious code on any machine that accesses these images, whether in local environments, Kubernetes clusters, or cloud-based settings. Lightspin’s advisory highlights the implications of this weakness, emphasizing that its exploitation could lead to widespread system compromises.
The ECR service, which is part of Amazon Web Services (AWS), allows users to manage Docker container images and deploy them effectively across their environments. Publicly hosted repositories in ECR can be accessed through the ECR Public Gallery, which facilitates community contributions and visibility of container images. AWS documentation notes that by default, accounts enjoy read and write access to repositories within their public registries, while IAM users require specific permissions to perform API calls or upload images.
However, the vulnerability identified by Lightspin allows external entities to manipulate images in other AWS accounts’ registries, thanks to undocumented internal APIs. Attackers can utilize temporary credentials acquired via Amazon Cognito to interact with these APIs, manipulating image storage mechanisms within the ECR environment.
Characterized as a significant threat to the software supply chain, this vulnerability could lead to various attack vectors, including denial-of-service, data breaches, and privilege escalation. Amiga points out that adversaries could poison popular images, undermining the trust inherent in the ECR Public supply chain by presenting compromised images as verified and legitimate.
Following the discovery of this issue, Amazon swiftly addressed the vulnerability, deploying a fix within 24 hours, thus reflecting its serious nature. Customers were not required to take any action to rectify the issue, showcasing AWS’s commitment to maintaining security within its ecosystem.
This incident illustrates the critical importance of robust security practices in managing container images and public repositories, particularly in cloud environments. The potential for exploitation underscores the need for vigilance against sophisticated attacks that can arise from seemingly innocuous vulnerabilities in trusted services.
The MITRE ATT&CK framework provides insight into the types of tactics and techniques that could have been employed in this attack, including initial access via unauthorized requests and later persistence through compromised images. Understanding these methodologies can help organizations fortify protections against similar threats while navigating the complexities of a rapidly evolving cybersecurity landscape.