Today's cybersecurity headlines are brought to you by ThreatPerspective
Ethical Hacking News

Newly Discovered Vulnerability Allows Hackers to Gain Code Execution on Amazon EC2 Instances via "whoAMI" Attacks


A newly discovered vulnerability known as the "whoAMI" attack has been found to allow hackers to gain code execution on Amazon Web Services (AWS) EC2 instances by exploiting a name confusion attack that takes advantage of how software projects retrieve AMI IDs.

  • The "whoAMI" attack allows hackers to gain code execution on Amazon Web Services (AWS) EC2 instances by exploiting a name confusion attack.
  • A vulnerability in how software projects retrieve AMI IDs is exploited, allowing attackers to access the EC2 instance and execute code.
  • Infrastructure-as-code tools like Terraform exacerbate the issue by automatically picking the latest AMI that matches the filter.
  • Amazon has confirmed the vulnerability and pushed out a fix, but customers must take proactive steps to prevent or mitigate such attacks.
  • Audit configuration, update code on AMI sources, and enable AWS Audit Mode to block untrusted AMIs are recommended measures.



    • A newly discovered vulnerability known as the "whoAMI" attack has been found to allow hackers to gain code execution on Amazon Web Services (AWS) EC2 instances by exploiting a name confusion attack that takes advantage of how software projects retrieve AMI IDs.

    Recently, security researchers from DataDog have made headlines with their discovery of a new type of attack known as the "whoAMI" vulnerability. This vulnerability allows hackers to gain code execution on Amazon Web Services (AWS) EC2 instances by exploiting a name confusion attack that takes advantage of how software projects retrieve AMI IDs. In this article, we will delve into the details of the whoAMI vulnerability, its impact on AWS customers, and what steps can be taken to prevent or mitigate such attacks.

    The "whoAMI" vulnerability is a type of name confusion attack where an attacker publishes an Amazon Machine Image (AMI) with a specific name that fits the pattern used by trusted owners. When a software project retrieves AMI IDs using the ec2:DescribeImages API without specifying an owner, AWS returns all matching AMIs, including the attacker's. This allows the attacker to gain access to the EC2 instance and execute code on it.

    The vulnerability is further exacerbated by the practice of some infrastructure-as-code tools like Terraform using "most_recent=true" automatically picking the latest AMI that matches the filter. This makes it easier for attackers to insert malicious AMIs into the selection process, as they can simply publish an AMI with a name similar to a trusted one.

    To demonstrate the retrieval of a malicious instead of a trusted AMI, DataDog's researchers created a scenario where they published a backdoored AMI in the public Community AMI catalog and strategically chose a name that mimicked a legitimate entry. When a victim's system was configured to retrieve the latest AMIs using "most_recent=true," it provided the attacker's malicious AMI instead of the trusted one.

    The good news is that Amazon has confirmed the vulnerability and pushed out a fix in September, which should prevent attackers from exploiting this vulnerability. However, the problem persists on the customer side, as organizations may fail to update their code to take advantage of the patch.

    Amazon advises customers to always specify AMI owners when using the "ec2:DescribeImages" API and enable the "Allowed AMIs" feature for additional protection. The new feature is available via AWS Console → EC2 → Account Attributes → Allowed AMIs. Terraform 5.77 started serving warnings to users when "most_recent = true" is used without an owner filter, with stricter enforcement planned for future releases (6.0).

    In order to prevent or mitigate such attacks, system admins must audit their configuration and update their code on AMI sources (Terraform, AWS CLI, Python Boto3, and Go AWS SDK) for safe AMI retrieval. To check if untrusted AMIs are currently in use, enable AWS Audit Mode through "Allowed AMIs," and switch to "Enforcement Mode" to block them.

    Furthermore, DataDog has released a scanner to check AWS accounts for instances created from untrusted AMIs, available in this GitHub repository. This scanner can help organizations quickly identify and remediate vulnerable EC2 instances.

    In conclusion, the whoAMI vulnerability is a serious security risk that allows hackers to gain code execution on Amazon EC2 instances by exploiting a name confusion attack. While Amazon has confirmed the vulnerability and pushed out a fix, it is essential for customers to take proactive steps to prevent or mitigate such attacks. By understanding how this vulnerability works and taking necessary precautions, organizations can protect their AWS resources from unauthorized access.



    Related Information:

  • https://www.bleepingcomputer.com/news/security/whoami-attacks-give-hackers-code-execution-on-amazon-ec2-instances/


    • Published: Thu Feb 13 17:45:31 2025 by llama3.2 3B Q4_K_M


     |   |   |  Sub Stack  |  Blue Sky


    © Ethical Hacking News . All rights reserved.

    Privacy | Terms of Use | Contact Us