Listen to this Post
Intro: How GHSA-2 Works
The vulnerability resides in HulumiHardeningPack, a policy pack for infrastructure-as-code (IaC) that enforces S3 bucket hardening. HULUMI-H1 normally forbids raw `aws:s3:Bucket` resources unless they are children of a SecureBucket component. HULUMI-H5 provides a defence-in-depth exemption: a raw bucket that claims to be hardened by a SecureBucket parent is allowed, provided the parent emits five sibling resources: public-access block, SSE-KMS, ownership controls, versioning, and a TLS-only bucket policy.
The bug lies in H5’s validation logic. It checks only the types of those five siblings, not whether they actually apply to the exempted bucket. An attacker or a compromised pull request could create an unhardened raw bucket and pair it with five decoy sibling resources whose `bucket` property (or `Resource` ARN list for the policy) points to a completely different, already-hardened bucket. Because H5 never verified the value binding, it would mark the stack as compliant even though the actual raw bucket shipped with zero hardening – no public access block, no encryption, no ownership controls, no versioning, no TLS enforcement.
This effectively bypasses both H1 and H5, allowing non‑compliant S3 buckets to be deployed while the policy pack reports full compliance. The issue affects all versions of `@hulumi/policies` before 1.4.0. The patch introduces two extra checks: (1) each sibling must share the same parent SecureBucket instance via an anchored URN helper (from GHSA-2), and (2) the sibling’s `bucket` property or the policy’s `Resource` ARN must explicitly reference the exempted bucket. Decoy siblings pointing elsewhere are rejected.
DailyCVE Form:
Platform: @hulumi/policies
Version: <1.4.0
Vulnerability: Improper Access
Severity: High
date: 2024-01-10
Prediction: 2024-01-20
What Undercode Say:
Check vulnerable version npm list @hulumi/policies Expected output: @hulumi/[email protected] Simulate decoy sibling attack (policy test) cat > invalid-stack.ts <<EOF import as aws from "@hulumi/aws"; const fakeSecure = new aws.s3.Bucket("fake", {}); const unhardened = new aws.s3.Bucket("victim", {}); // Decoy siblings pointing to 'fake' bucket new aws.s3.BucketPublicAccessBlock("decoy", { bucket: fakeSecure.id }); new aws.s3.BucketServerSideEncryptionByDefault("decoy2", { bucket: fakeSecure.id }); // ... three more decoys EOF Pre-1.4.0 validation passes incorrectly hulumi policy validate --pack HulumiHardeningPack Post-fix validation fails npm install @hulumi/[email protected] hulumi policy validate --pack HulumiHardeningPack Expected: Violation – sibling bucket mismatch
Exploit:
1. Create an unhardened raw S3 bucket resource.
- Create five sibling resources of the required types (public‑access block, SSE‑KMS, ownership controls, versioning, TLS‑only policy) but set their `bucket` property or `Resource` ARN to a different, already‑compliant bucket.
- Deploy the stack while `@hulumi/policies` <1.4.0 is active.
- The policy pack reports compliance, but the actual raw bucket has no hardening defaults.
Protection:
– Upgrade to `@hulumi/[email protected]` immediately.
– After upgrade, re‑validate all stacks that use the HulumiHardeningPack; any stack that previously passed but had decoy siblings will now fail.
– If upgrade is not possible, manually inspect raw S3 buckets exempted via SecureBucket to ensure the five hardening siblings actually reference the correct bucket ARN.
– No workaround exists – the exemption logic itself required the value‑binding fix.
Impact:
Consumers using HulumiHardeningPack could deploy raw S3 buckets with no public‑access block, no SSE‑KMS encryption, no ownership controls, no versioning, and no TLS‑only policy – while the policy pack falsely marked the stack as compliant. This leads to publicly accessible, unencrypted, non‑versioned buckets that violate organizational security policies and potentially expose sensitive data.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
