Technology

Amazon EC2 instances under fire from whoAMI attacks potentially giving hackers code execution access

February 17, 2025

A flaw named WhoAMI was found in Amazon Machine Image
It allows threat actors to gain RCE abilities on people’s AWS accounts
A fix has been released, but many users are still yet to update

Amazon Web Services (AWS) users are potentially vulnerable to a name confusion attack called “whoAMI”, experts have warned.

The vulnerability, found in Amazon Machine Image (AMI), was discovered in the summer of 2024 by cybersecurity researchers DataDog, and has now been confirmed by Amazon, which said it fixed the issue on its side, and urged users to update the code on their side and thus protect their premises.

AMI is a pre-configured template used to create and launch virtual servers (EC2 instances) in AWS. It includes an operating system, application software, and necessary configurations like storage and permissions. AMIs allow users to quickly deploy consistent environments, whether using AWS-provided images, community AMIs, or custom-built ones. This makes scaling and managing cloud infrastructure more efficient.

Following the naming pattern

AMIs can be public, or private, and once generated, come with a unique identifier. Public ones can even be found in the AWS catalog. But these public ones should also come with the ‘owners’ attribute, as a way to confirm that they’re coming from a trusted source.

Now, the researchers found that the way software projects retrieve AMI IDs was flawed, and allowed threat actors to gain remote code execution (RCE) capabilities within people’s AWS accounts.

The technical details on how the vulnerability works and how it might be exploited can be found on this link. Long story short, if a threat actor publishes an AMI with a name that follows the format used by trusted owners, it can be picked up by mistake.

When DataDog first discovered the flaw, it said that overall, a very small percentage of AWS users are vulnerable, but that still equals “thousands” of AWS accounts. Amazon responded by issuing a fix in mid-September last year, and releasing a new security control called “Allowed AMIs” in early December last year.

It also advised all users to apply the fixes, while stressing that there was no evidence of abuse in the wild.

Via BleepingComputer

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

LEAVE A REPLY Cancel reply

EDITOR PICKS

POPULAR POSTS

QUICK LINKS

ABOUT US

FOLLOW US

Cookie bar