Summary
AWS Simple EC2 is a CLI tool that combines the process of launching, connecting, and terminating EC2 instances into a single command for ad hoc testing.
In versions of <= v0.10.0, during AMI selection, AMI filtering validates the AMI name only. The lack of explicit AMI owner validation is inconsistent with public EC2 documentation and guidelines. Accurate discovery and selection of a necessary AMI requires owner specification and / or filtering.
Impact
A user may unintentionally launch an EC2 instance of an AMI of matching name from an untrusted publisher, potentially resulting in availability or other security concerns as a result of executing incorrect or malicious software.
Impacted Versions: <= v0.10.0
Patches
A patch for the issue is available for versions v0.11.0 and above. The patch uses the owner-alias field of AMI in the filtering logic, which is a common validation to mitigate the concern.
Credits
We would like to thank Seth Art, GH alias: @sethsec for reporting this issue.
If you have any questions or comments about this advisory, we ask that you contact AWS/Amazon Security via our reporting page [1] or directly via email to [email protected]. Please do not create a public GitHub issue.
[1] Reporting page: https://aws.amazon.com/security/issue-reporting
Summary
AWS Simple EC2 is a CLI tool that combines the process of launching, connecting, and terminating EC2 instances into a single command for ad hoc testing.
In versions of <= v0.10.0, during AMI selection, AMI filtering validates the AMI name only. The lack of explicit AMI owner validation is inconsistent with public EC2 documentation and guidelines. Accurate discovery and selection of a necessary AMI requires owner specification and / or filtering.
Impact
A user may unintentionally launch an EC2 instance of an AMI of matching name from an untrusted publisher, potentially resulting in availability or other security concerns as a result of executing incorrect or malicious software.
Impacted Versions: <= v0.10.0
Patches
A patch for the issue is available for versions v0.11.0 and above. The patch uses the owner-alias field of AMI in the filtering logic, which is a common validation to mitigate the concern.
Credits
We would like to thank Seth Art, GH alias: @sethsec for reporting this issue.
If you have any questions or comments about this advisory, we ask that you contact AWS/Amazon Security via our reporting page [1] or directly via email to [email protected]. Please do not create a public GitHub issue.
[1] Reporting page: https://aws.amazon.com/security/issue-reporting