Full Report
Wiz Research discovered a critical supply chain vulnerability that abused a CodeBuild misconfiguration to take over key AWS GitHub repositories - including the JavaScript SDK powering the AWS Console.
Analysis Summary
# Vulnerability: CodeBreach - AWS CodeBuild Misconfiguration Leading to AWS GitHub Repository Takeover
## CVE Details
- CVE ID: Not explicitly assigned in the text. (This is a vendor-specific finding/attack disclosure, not a formal CVE at the time of the article.)
- CVSS Score: Not explicitly provided. (Implied Critical severity based on impact description.)
- CWE: CWE-787 (Out-of-bounds Write) or related injection/misconfiguration CWE, specifically related to CI/CD pipeline trust boundaries.
## Affected Systems
- Products: AWS CodeBuild, key AWS GitHub repositories (including the JavaScript SDK powering the AWS Console).
- Versions: Implied to affect configurations where CodeBuild webhook filters were improperly configured (missing regex anchors). Specific service versions are not listed, as the vulnerability is configuration-based.
- Configurations: AWS CodeBuild projects connected to GitHub that use unanchored regex patterns in webhook filters to trigger builds based on pull requests.
## Vulnerability Description
CodeBreach is a critical supply chain vulnerability discovered in AWS CodeBuild CI pipeline configurations. The flaw resided in the handling of build triggers via GitHub webhooks. By omitting or incorrectly configuring regex anchors in the filter patterns intended to restrict which pull requests trigger a privileged build, an unauthenticated attacker could inject arbitrary payload events to activate the CodeBuild environment. Once inside the build environment, the attacker could leak privileged credentials utilized by CodeBuild to interact with GitHub, resulting in a complete takeover of the target repository, including critical ones like the AWS JavaScript SDK.
## Exploitation
- Status: Successfully demonstrated internally by Wiz Research; AWS confirmed and patched (Implied: Not exploited publicly prior to disclosure).
- Complexity: Low (Leveraged a subtle configuration error in the build trigger mechanism).
- Attack Vector: Network (via crafted webhook events).
## Impact
- Confidentiality: High (Exposure of privileged credentials, secrets used by CodeBuild).
- Integrity: Critical (Ability to inject malicious code into high-value, trusted repositories like the AWS JavaScript SDK).
- Availability: High (Potential for platform-wide service compromise downstream of the compromised SDK/Console).
## Remediation
### Patches
- AWS has taken internal action, including implementing global hardening measures within the CodeBuild service. AWS promoted the use of new security gates.
- Specific consumer-facing patches for the affected SDK repositories are not detailed, as the primary fix is service-level hardening.
### Workarounds
For all AWS CodeBuild users to secure their own projects against a similar attack:
1. **Prevent Untrusted Pull Requests from Triggering Privileged Builds:**
* Enable the new **Pull Request Comment Approval** build gate.
* Alternatively, manage build triggers using **CodeBuild-hosted runners** via GitHub workflows instead of webhooks.
* If relying on webhook filters, **ensure that regex patterns are properly anchored** to prevent bypasses.
2. **Secure the CodeBuild-GitHub Connection:**
* Generate a **unique, fine-grained Personal Access Token (PAT)** for *each* CodeBuild project.
* Strictly limit the PAT's permissions to the absolute minimum required.
* Consider using a dedicated, unprivileged GitHub account specifically for the CodeBuild integration.
## Detection
- **Indicators of Compromise (IoCs):** Attempts to trigger builds using unapproved/unrecognized events or pull requests targeting CI pipelines that use regex-based webhook filtering.
- **Detection Methods and Tools:** Wiz customers can use a pre-built query in the Wiz Threat Intel Center to find CodeBuild projects that trigger builds based on untrusted pull requests. Reviewing CodeBuild logs for unusual trigger sources is recommended.
## References
- Vendor Advisories: Wiz Research blog post on CodeBreach.
- Relevant Links:
* Wiz Report: hxxps://www.wiz.io/blog/codebreach-supply-chain-vulnerability-aws-codebuild
* AWS Documentation on Pull Request Comment Approval: hxxps://docs.aws.amazon.com/codebuild/latest/userguide/pull-request-build-policy.html
* AWS Documentation on Webhook Filters: hxxps://docs.aws.amazon.com/codebuild/latest/userguide/webhooks.html