Best Top Reviews Online

Serious Attacks Could Have Been Staged Through This Amazon ECR Public Gallery Vulnerability

  • Topics:Tech
  • PublishedDecember 13, 2022
  • ByFrank

Lightspin, a cloud security company, reported that the Amazon Elastic Container Registry (ECR) Public Gallery contained a critical security flaw that could have been exploited to launch a wide variety of attacks.

According to Gafnit Amiga, Lightspin’s director of security research, in a report provided to The Hacker News, “by exploiting this vulnerability, a malicious actor could delete all images in the Amazon ECR Public Gallery or update the image contents to inject malicious code.”

Any machine that pulls and runs the image, be it a user’s local machine, a Kubernetes cluster, or the cloud, will execute the malicious code.

AWS ECR is a container image registry service that lets developers distribute their code in the form of Docker images and deploy those images at scale. The ECR Public Gallery is where all of the accessible public repositories hosted on ECR are displayed.

When you create a public registry on Amazon, “by default, your account has read and write access to the repositories in your public registry,” as stated in the official documentation. However, to access the Amazon ECR APIs and upload images to your repositories, the IAM user must have the appropriate permissions.

However, Lightspin discovered that the vulnerability could be exploited by external actors to delete, update, and create poisoned versions of legitimate images in registries and repositories belonging to other AWS accounts using exploiting undocumented internal ECR Public APIs.

To delete images using the “DeleteImageForConvergentReplicationInternal” action, or to push a new image using the “PutImageForConvergentReplicationInternal” action, temporary credentials are acquired using Amazon Cognito to authorize requests to the internal APIs.

A “deep software supply chain attack,” as described by Lightspin.

The urgency with which Amazon deployed a fix to address the vulnerability on November 16, 2022, less than 24 hours after it was reported, is indicative of the gravity of the situation. There is nothing the customer needs to do.

Depending on the attacker’s motivations and techniques, this flaw “may lead to denial-of-service, data exfiltration, lateral movement, privilege escalation, data destruction, and other multivariate attack paths,” Amiga said.

The ECR Public supply chain could be compromised if “a malicious actor poisoned popular images while abusing the trust model of ECR Public.”

Why Trust Us?

Best Top Reviews Online was established in 2018 to provide our readers with detailed, truthful, and impartial advice on what to buy. We now have millions of monthly users from all over the world and annually evaluate over a thousand products.

The above article was written by the BestTopReviewsOnline team, which consists of some of the most knowledgeable technical experts in the United States. Our team consists of highly regarded writers with vast experience in smartphones, computer components, technology apps, security, and photography, among other fields.

Related Stories

  • All Post
  • Best Picks
  • Explainers
  • How To
  • News
  • Versus

Get more info

Deals

Reviews

Best Products

Buying Guides

Contact Us

About Us

We provide a platform for our customers to rate and review services and products, as well as the stores that sell them. We research and compare the most popular brands and models before narrowing it down to the top ten, providing you with the most comprehensive and reliable buying advice to help you make your decision.

Disclaimer

BestTopReviewsOnline.com is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to Amazon.com. As an Amazon Associate I earn from qualifying purchases.

 

Address & Map

20 S Santa Cruz Ave, Suite 300, Los Gatos, CA 95030, United States

© 2022 BestTopReviewsOnline.com Pty. Ltd. All Rights Reserved. Licensing: All third-party trademarks, images, and copyrights used on this page are for comparative advertising, criticism, or review. As this is a public forum where users can express their opinions on specific products and businesses, the opinions expressed do not reflect those of BestTopReviewsOnline.com.