Whoami Attack: Remote Code Execution on Amazon EC2

Đinh Văn MạnhĐinh Văn Mạnh
4 min read

In the realm of cloud security, vulnerabilities stemming from misconfigurations or inadequate management are frequently targeted by malicious actors. Recently, a significant vulnerability was identified in AWS's Amazon EC2 service, which permits attackers to perform remote code execution (RCE) on virtual machines (instances) via a technique termed the "Whoami Attack."

What is the Whoami Attack?

The Whoami Attack is a method that takes advantage of weaknesses in the metadata management mechanism of Amazon EC2. Metadata includes information about the virtual machine, such as the instance ID, region, and details about IAM roles (Identity and Access Management). Ordinarily, this metadata is accessible from within the instance through a local IP address.

However, if the metadata service is improperly configured, attackers may exploit it to obtain sensitive information, including IAM role credentials. This can result in privilege escalation and remote code execution on the instance.ce.

Whoami Attack Chain

  1. Attacker creates a malicious public AMI:

    • The attacker creates a malicious Amazon Machine Image (AMI) with a name similar to a legitimate AMI to cause confusion.

  2. Attacker publishes the public AMI:

    • The attacker publishes the AMI to the AWS marketplace, making it publicly discoverable by anyone searching.

  3. Victim searches for an AMI:

    • The victim searches for an AMI using the ec2:DescribeImages API without specifying the "owners" attribute.

  4. Selection of the malicious AMI:

    • The API returns a list of matching AMIs, including the malicious one. The victim unknowingly selects the malicious AMI.

  5. Launch EC2 instance from the AMI:

    • The victim uses the malicious AMI to launch an Elastic Compute Cloud (EC2) instance in their account.

  6. EC2 executes malicious code:

    • Once the EC2 instance launches, the malicious code in the AMI executes, allowing the attacker to perform remote code execution (RCE) in the victim's environment.

  7. Reverse connection to the attacker:

    • The EC2 instance initiates a reverse connection to the attacker's command and control server, providing access to the victim's system.

  8. Perform post-attack actions:

    • The attacker performs post-attack actions, such as accessing data, changing system configurations, or conducting other activities in the victim's environment.

Impact of Whoami Attack

This vulnerability can lead to serious consequences, including:

  • Leak of sensitive data: The attacker can access sensitive information stored on the instance or in other AWS services.

  • Control of AWS account: If credentials are exposed, the attacker can perform destructive actions or steal data across the entire AWS account.

  • Service disruption: Executing malicious code can disrupt the operation of services running on the instance.

Prevention Methods

To mitigate the risks from the Whoami Attack, organizations using AWS EC2 should implement the following measures:

  1. Restrict metadata access: Use AWS's Instance Metadata Service Version 2 (IMDSv2), which requires token authentication to access metadata.

  2. Limit IAM roles: Assign only the minimum necessary permissions to IAM roles for the instance.

  3. Monitor and audit activities: Use tools like AWS CloudTrail to monitor unusual activities in the AWS account.

  4. Update and patch: Ensure that instances are always updated with the latest security patches.

Amazon's Response

AWS stated that this vulnerability has not been exploited outside of security researchers' tests, so no customer data has been compromised through WhoAMI attacks.

Amazon advises users to always specify the AMI owner when using the "ec2:DescribeImages" API and enable the 'Allowed AMIs' feature for enhanced protection.

  • This new feature is available through AWS Console → EC2 → Account Attributes → Allowed AMIs.

Starting from November last year, Terraform version 5.77 began warning users when using "most_recent = true" without an owner filter, with stricter enforcement planned for future versions (6.0).

System administrators must check and update their code configurations on AMI sources (Terraform, AWS CLI, Python Boto3, and Go AWS SDK) to ensure safe AMI retrieval.

  • To check if untrusted AMIs are being used, enable AWS Audit Mode through 'Allowed AMIs' and switch to 'Enforcement Mode' to block them.

Conclusion

This issue was resolved on September 19 last year, and on December 1, AWS introduced a new security control called 'Allowed AMIs', which allows customers to create a whitelist of trusted AMI providers.

AWS stated that this vulnerability has not been exploited outside of security researchers' tests, so no customer data has been compromised through WhoAMI attacks.

The Whoami Attack is a serious vulnerability that reminds organizations of the importance of configuring and managing security in cloud environments. With the increasing complexity of cloud services, understanding and applying appropriate security measures is essential to protect data and resources from potential threats.

References

  1. whoAMI attack could allow remote code execution within AWS account

  2. whoAMI attacks give hackers code execution on Amazon EC2 instances

0
Subscribe to my newsletter

Read articles from Đinh Văn Mạnh directly inside your inbox. Subscribe to the newsletter, and don't miss out.

threat intelligenceAWSwhomai-attack

Written by

Đinh Văn Mạnh
Đinh Văn Mạnh