Worst-case possibilities included malicious construction and greater infrastructural compromise.
Multiple workflows of the well-known continuous integration and development (CI/CD) service GitHub Actions have been found to be command execution susceptible by security researchers.
An automation tool created by the Tinder research team discovered security holes that allowed write access to several open source GitHub repositories, including Elastic’s Logstash, to be stolen.
Rojan Rijal, Johnny Nipper, and Tanner Emek, who work for Tinder as red teamers, senior product security managers, and engineering managers, each wrote a blog post outlining the findings.
According to the group, “in the worst case situation,” it is possible to retrieve the GITHUB TOKEN value, which by default has read/write access to the repository, by using a weak workflow. This can be used to exploit the supply chain and push a malicious build against users.
They stated that if more delicate access secrets from the pipeline, like AWS credentials, API Keys, or service credentials, were compromised, “this might result in a company’s infrastructure being compromised.”
Unsafe user inputs in run scripts were the most frequent source of vulnerabilities. Additionally, the researchers discovered numerous instances of pull request target being used improperly, which, among other things, might avoid a 2019 fix for a problem with the use of event handlers in forked repositories.
The research focused on projects with vulnerability disclosure policies, with validated vulnerabilities responsibly reported to projects. Elastic’s security team quickly deactivated the vulnerable workflow and confirmed no abuse had occurred, said the researchers.
GitHub Workflow Auditor
The research tool was made available to the public by Tinder Security Labs. The GitHub Workflow Auditor examines workflows for secret information, fraudulent commits, and hazardous user inputs.
The authors told The Daily Swig that they “focused on covering most vulnerability instances in GitHub Actions as well as efficiency” because to the shortcomings of comparable, existing technologies. As a result, we enable businesses to scan all of their repositories simultaneously simply supplying a GitHub API key. This saves security teams time and effort.
The technology also addressed a supply chain risk brought on by processes using old GitHub accounts to execute activities. According to the researchers, “under such circumstances, attackers can claim the account and push malicious operations allowing them to get access to the repository and associated workflows.” “The tools that we tried did not address this specific circumstance.”
“At Tinder Labs, our mission is to find high-impact vulnerabilities in a variety of technologies that have a worldwide impact,” they continued. You may expect to see more insights and tools from us in the future as we continue to investigate additional technologies.
Mitigations
Researchers encouraged developers to appropriately sanitize user inputs in GitHub Actions and prevent attacks by limiting the access scope of GitHub Tokens.
Pull request target should only be used, according to GitHub Security Lab, when developers “require the privileged context of the target repo” for their work.
The findings by Tinder Security Labs come after the discovery in March of improperly configured GitHub Actions workflows that led to serious issues in a number of repositories and a GitHub Actions patch for a code review safeguard bypass in January.
