Bug 1623095 (CVE-2018-15869) - CVE-2018-15869 awscli: Allows loading of an undesired AMI by setting similar image properties
Summary: CVE-2018-15869 awscli: Allows loading of an undesired AMI by setting similar ...
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2018-15869
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1623096 1623097
Blocks: 1623098
TreeView+ depends on / blocked
 
Reported: 2018-08-28 13:06 UTC by Andrej Nemec
Modified: 2019-09-29 14:57 UTC (History)
11 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-10-05 09:25:05 UTC
Embargoed:

Attachments (Terms of Use)

Description Andrej Nemec 2018-08-28 13:06:35 UTC 
The Amazon Web Services (AWS) CLI version 1.15.85 (and possibly earlier versions) does not require the --owners flag when describing images, which makes it easier for remote attackers to trigger the loading of an undesired AMI by setting similar image properties (i.e., name), as exploited in the wild during August 2018 with a Monero miner AMI instead of the expected Ubuntu AMI.

References:

https://github.com/hashicorp/packer/issues/6584
Comment 1 Andrej Nemec 2018-08-28 13:06:59 UTC 
Created awscli tracking bugs for this issue:

Affects: fedora-all [bug 1623096]
Comment 2 Andrej Nemec 2018-08-28 13:07:11 UTC 
Created awscli tracking bugs for this issue:

Affects: fedora-all [bug 1623096]
Comment 4 Riccardo Schirone 2018-10-05 09:25:05 UTC 
Closing this bug as NOTABUG and asked MITRE for rejection, since the issue does not seem to be in AWS CLI but in Packer.
Note You need to log in before you can comment on or make changes to this bug.