- A defect called Whoami was found at Amazon Machine Image
- Allows threat actors to obtain RCE skills in people’s AWS accounts
- A solution has been launched, but many users have not yet been updated
Amazon Web Services (AWS) users are potentially vulnerable to a confusion attack called “Whoami”, experts warned.
The vulnerability, which is located at Amazon Machine Image (AMI), was discovered in the summer of 2024 by DataGog cybersecurity researchers, and has now been confirmed by Amazon, who said he solved the problem on his side and urged users to update the code on your side and thus protect your facilities.
AMI is a preconfigured template used to create and start virtual servers (EC2 instances) in AWS. It includes an operating system, application software and necessary settings such as storage and permits. The AMI allow users to quickly implement consistent environments, either using images provided by AWS, AMI of the community or those of personalized construction. This makes the scale and management of cloud infrastructure more efficient.
Following the name pattern
Amis can be public or private, and once generated, they come with a unique identifier. Public can even be found in the AWS catalog. But these audiences must also come with the attribute of ‘owners’, as a way to confirm that they come from a reliable source.
Now, the researchers discovered that the way in which software projects recover AMI IDs were defective and allowed threat actors to obtain remote code execution capabilities (RCE) within people’s AWS accounts.
The technical details on how vulnerability works and how it can be exploited in this link. In a nutshell, if a threat actor publishes an AMI with a name that follows the format used by the trusted owners, it can be collected by error.
When Datag first discovered the defect, he said that, in general, a very small percentage of AWS users is vulnerable, but that still equals “thousands” of AWS accounts. Amazon responded by issuing a solution in mid -September last year, and launching a new security control called “allowed Amis” in early December last year.
He also advised all users to apply corrections, while stressed that there was no evidence of abuse in nature.
Through Bleepingcomputer
