Amazon EC2 instances could be under fire from whoAMI technique giving hackers code execution access

News
By
published

Users told to update immediately

A person holding a virtual cloud in the palm of their hand.
(Image credit: Shutterstock)
  • A flaw named WhoAMI was found in Amazon Machine Image
  • It allows threat actors to gain RCE abilities on people's AWS accounts
  • A fix has been released, but many users are still yet to update

Amazon Web Services (AWS) users are potentially vulnerable to a name confusion attack called “whoAMI”, experts have warned.

The vulnerability, found in Amazon Machine Image (AMI), was discovered in the summer of 2024 by cybersecurity researchers DataDog, and has now been confirmed by Amazon, which said it fixed the issue on its side, and urged users to update the code on their side and thus protect their premises.

AMI is a pre-configured template used to create and launch virtual servers (EC2 instances) in AWS. It includes an operating system, application software, and necessary configurations like storage and permissions. AMIs allow users to quickly deploy consistent environments, whether using AWS-provided images, community AMIs, or custom-built ones. This makes scaling and managing cloud infrastructure more efficient.

Following the naming pattern

AMIs can be public, or private, and once generated, come with a unique identifier. Public ones can even be found in the AWS catalog. But these public ones should also come with the ‘owners’ attribute, as a way to confirm that they’re coming from a trusted source.

Now, the researchers found that the way software projects retrieve AMI IDs was flawed, and allowed threat actors to gain remote code execution (RCE) capabilities within people’s AWS accounts.

The technical details on how the vulnerability works and how it might be exploited can be found on this link. Long story short, if a threat actor publishes an AMI with a name that follows the format used by trusted owners, it can be picked up by mistake.

When DataDog first discovered the flaw, it said that overall, a very small percentage of AWS users are vulnerable, but that still equals “thousands” of AWS accounts. Amazon responded by issuing a fix in mid-September last year, and releasing a new security control called “Allowed AMIs” in early December last year.

It also advised all users to apply the fixes, while stressing that there was no evidence of abuse in the wild.

Via BleepingComputer

You might also like

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.

More about security
Russia

Pro-Russian hackers hit Italian bank, airport websites
Fingerprint

Profit over privacy? Google gives advertisers more personal info in major ‘fingerprinting’ U-turn
Rick and Chelsea stand together in The White Lotus season 3

The White Lotus season 3 is Max's #1 show – here are 3 more comedy dramas that are just as good with over 95% on Rotten Tomatoes

See more latest