AWS CDK, Sensitive Data Exposure, CVE-2024-XXXX (Critical)

By /

How the CVE Works:

The vulnerability occurs when AWS CDK’s `cognito.UserPoolClient` construct generates a secret for an application client. During deployment, a custom resource (Custom::DescribeCognitoUserPoolClient) invokes the `DescribeCognitoUserPoolClient` API to fetch the secret. The full response, including the client secret, is logged in the Lambda function’s CloudWatch Logs. Attackers with read access to these logs can extract the secret, compromising authentication security. The issue affects AWS CDK versions >2.37.0 and <=2.187.0.

DailyCVE Form:

Platform: AWS CDK
Version: <=2.187.0
Vulnerability: Secret leakage
Severity: Critical
Date: 2024-XX-XX

What Undercode Say:

Exploitation:

1. Prerequisites:

  • AWS account access with `logs:GetLogEvents` permissions.
  • Target uses vulnerable CDK version.

2. Steps:

  • Query CloudWatch Logs for `Custom::DescribeCognitoUserPoolClient` executions: 
    aws logs filter-log-events --log-group-name "/aws/lambda/<LambdaName>" --filter-pattern "DescribeCognitoUserPoolClient"
  • Extract `ClientSecret` from logs.

Mitigation:

1. Patch:

  • Upgrade to AWS CDK v2.187.0+: 
    npm update -g aws-cdk
  • Set feature flag `@aws-cdk/cognito:logUserPoolClientSecretValue` to false.

2. Secret Rotation:

  • Rotate exposed secrets via AWS Secrets Manager: 
    aws secretsmanager rotate-secret --secret-id <SecretARN>

3. Log Restriction:

  • Apply IAM policies to restrict log access: 
    {
"Version": "2012-10-17",
"Statement": [{
"Effect": "Deny",
"Action": "logs:GetLogEvents",
"Resource": "arn:aws:logs:::log-group:/aws/lambda/"
}]
}

4. Custom Workaround:

  • Override `UserPoolClient` to disable secret logging: 
    public get userPoolClientSecret(): SecretValue {
return SecretValue.resourceAttribute(
new AwsCustomResource(this, 'DescribeClient', {
logging: Logging.withDataHidden(),
/ ... /
}).getResponseField('UserPoolClient.ClientSecret')
);
}

5. Detection:

  • Monitor CloudTrail for unauthorized `GetLogEvents` API calls: 
    aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=GetLogEvents

    Note: Replace placeholders (<LambdaName>, <SecretARN>) with actual values. Always validate commands in a test environment before production use.

References:

Reported By: https://github.com/advisories/GHSA-qq4x-c6h6-rfxh
Extra Source Hub:
Undercode

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image

Scroll to Top