@hulumi/baseline, Detection Bypass, GHSA‑gfp8‑mp24‑5vxg (moderate)

Listen to this Post

How GHSA‑gfp8‑mp24‑5vxg works

The `@hulumi/baseline` package before 1.3.2 does not fully catch AWS CloudTrail event‑selector tampering. Attackers can call the `cloudtrail:PutEventSelectors` API to alter which events a trail records without stopping the trail. They can:
– Set `ReadWriteType` to `None` or `ReadOnly` to exclude write operations.
– Set `IncludeManagementEvents` to `false` to stop logging all control‑plane activity.
– Use `advancedEventSelectors` with `notEquals` or `notStartsWith` to filter out specific event sources (e.g., s3.amazonaws.com, lambda.amazonaws.com).
– Provide an empty `DataResources` array to remove all data‑event logging.
The trail continues to run, so no immediate alert is raised. However, malicious actions fall outside the recorded scope. Versions before 1.3.2 fail to detect these changes because the detection logic did not examine the full selector payload. As a result, an attacker could silently disable audit logging, bypass GuardDuty, and hide IAM changes, data exfiltration, or other malicious activity.
Patched in 1.3.2 – detection now inspects all selector fields and regression tests ensure missing payloads are caught. Upgrade to 1.3.2 or later and rerun affected previews/checks.

DailyCVE form:

Platform: `@hulumi/baseline`
Version: before 1.3.2
Vulnerability: CloudTrail selector bypass
Severity: Moderate
Date: 2026-05-21

Prediction: Patch already available (2026-05-15)

Analytics under What Undercode Say:

Audit CloudTrail trails for selector tampering
aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=PutEventSelectors \
--query 'Events[?contains(CloudTrailEvent, <code>"readWriteType": "None"</code>) || contains(CloudTrailEvent, <code>"includeManagementEvents": false</code>)]'
Check for excluded data sources
aws cloudtrail get-event-selectors --trail-name <trail-name> \
--query 'AdvancedEventSelectors[].FieldSelectors[?Field == <code>eventSource</code>]'
Detect empty data resource arrays
aws cloudtrail get-event-selectors --trail-name <trail-name> \
--query 'EventSelectors[?DataResources == <code>[]</code>]'

Exploit:

An attacker with `cloudtrail:PutEventSelectors` permission sends a request like:

{
"TrailName": "arn:aws:cloudtrail:...",
"EventSelectors": [{
"ReadWriteType": "None",
"IncludeManagementEvents": false,
"DataResources": []
}]
}

The trail stays “active” but logs no events. All subsequent actions are invisible.

Protection from this CVE:

  • Upgrade `@hulumi/baseline` to 1.3.2 or later.
  • Monitor `cloudtrail:PutEventSelectors` API calls and alert on:
    – `ReadWriteType` = `None` or `ReadOnly`
    – `IncludeManagementEvents` = `false`
    – `AdvancedEventSelectors` with exclusion operators.
  • Use AWS Config rule `cloudtrail-trail-logging-enabled` to detect logging changes.
  • Apply IAM policies that restrict `PutEventSelectors` to trusted roles.

Impact:

Successful tampering leads to complete loss of audit visibility. Control‑plane events (IAM changes, security group edits) and data‑plane events (S3/Lambda exfiltration) are not recorded. This bypasses GuardDuty, Security Hub, and manual log reviews, allowing undetected persistence, data theft, or infrastructure compromise.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top