この日はAWSからセキュリティ速報が2件公開された。1件目はAWS Client VPNのmacOSクライアントにおけるローカル権限昇格の脆弱性(CVE-2025-11462、AWS-2025-020)で、ログローテーション時にログ出力先ディレクトリの検証が不十分だったため、非管理者ユーザがCrontab等の特権的な場所へのシンボリックリンクを介してroot権限でのコード実行を引き起こせる問題。バージョン1.3.2〜5.2.0が影響を受け、WindowsとLinuxは対象外。2件目はAmazon Q DeveloperおよびKiroのIDEプラグインにおけるプロンプトインジェクション問題(AWS-2025-019)で、外部研究者のブログ指摘を受けたもの。リモートコード実行やDNS経由のシークレット漏洩などが該当し、Language Server v1.22.0/v1.24.0やKiro 0.1.42でHuman-in-the-Loop確認を必須化する対応が済んでいる。
AWS Client VPN macOSクライアント: ログローテーションの検証不備による権限昇格 (CVE-2025-11462)
Amazon Q Developer / Kiro: IDEプラグインのプロンプトインジェクション問題とHITL確認による緩和
Bulletin ID: AWS-2025-020
Scope: AWS
Content Type: Important (requires attention)
Publication Date: 2025/10/07 01:30 PM PDT
Description:
AWS Client VPN is a managed client-based VPN service that enables secure access to AWS and on-premises resources. The AWS Client VPN client software runs on end-user devices, supporting Windows, macOS, and Linux and provides the ability for end users to establish a secure tunnel to the AWS Client VPN Service.
We have identified CVE-2025-11462, an issue in AWS Client VPN. The macOS version of the AWS VPN Client lacked proper validation checks on the log destination directory during log rotation. This allowed a non-administrator user to create a symlink from a client log file to a privileged location (e.g., Crontab). Triggering an internal API with arbitrary inputs would then write these inputs to the privileged location on log rotation, allowing execution with root privileges. This issue does not affect Windows or Linux devices.
Affected versions:
AWS Client VPN Client versions 1.3.2 through 5.2.0
Bulletin ID: AWS-2025-019
Scope: AWS
Content Type: Important (requires attention)
Publication Date: 2025/10/07 01:30 PM PDT
Description:
We are aware of blog posts by Embrace The Red (“The Month of AI Bugs”) describing prompt injection issues in Amazon Q Developer and Kiro.
Amazon Q Developer: Remote Code Execution with Prompt Injection” and “Amazon Q Developer for VS Code Vulnerable to Invisible Prompt Injection.
These issues require an open chat session and intentional access to a malicious file using commands such as find, grep, or echo, which could be executed without Human-in-the-Loop (HITL) confirmation. In some cases, invisible control characters could obfuscate these commands. On July 17, 2025, we released Language Server v1.22.0, which requires HITL confirmation for these commands
Amazon Q Developer: Secrets Leaked via DNS and Prompt Injection.
This issue requires a developer to accept a prompt-injected suggestion including commands such as ping or dig, which could exfiltrate metadata via DNS queries without HITL confirmation. On July 29, 2025, we released Language Server v1.24.0, which requires HITL confirmation for these commands.
AWS Kiro: Arbitrary Code Execution via Indirect Prompt Injection.
This issue requires local system access to inject instructions that lead to arbitrary code execution via Kiro IDE or MCP settings files without HITL confirmation in either Kiro's Autopilot or Supervised mode. On August 1, 2025, we released Kiro version 0.1.42, which requires HITL confirmation for these actions when configured in Supervised mode.
Amazon Q Developer and Kiro are built on the principles of agentic development, enabling developers to work more efficiently with the help of AI agents. As customers adopt AI-enhanced development workflows, we recommend they evaluate and implement appropriate security controls and policies based on their specific environments and shared responsibility models (AWS, Amazon Q, Kiro). Amazon Q Developer and Kiro provide safeguards, including Human-in-the-Loop protections and customizable execution policies, to support secure adoption.
Affected versions:
Amazon Q Developer for find, grep, echo (version <1.22.0)
Amazon Q Developer for ping, dig: (versions <1.24.0)
AWS Kiro: version 0.1.42