Malicious builds and wider infrastructural compromise were worst-case scenarios
Security researchers have identified multiple workflows in popular continuous integration and development (CI/CD) service GitHub Actions that are vulnerable to command execution.
A research team from dating platform Tinder crafted an automation script that unearthed flaws that enabled the exfiltration of secrets that provide write access to various open source GitHub repositories, including Elastic’s Logstash.
A blog post documenting the findings was penned by Rojan Rijal, Johnny Nipper, and Tanner Emek – respectively red teamer, senior product security manager, and engineering manager at Tinder.
The trio told The Daily Swig that “in the worst case scenario, you can exploit a vulnerable workflow to retrieve the GITHUB_TOKEN value”, which has read/write access to the repository by default. “This can be used to push a malicious build against users and perform supply chain related exploits.”
If more sensitive access secrets within the workflow such as AWS credentials, API Keys, or service credentials were exposed, “this could lead to a compromise of a company’s infrastructure”, they added.
The most common cause of vulnerabilities was unsafe user inputs in run scripts. The researchers also found many examples where pull_request_target was misused, which among other things could bypass a 2019 fix for an issue related to the use of event handlers in forked repositories.
The research focused on projects with vulnerability disclosure policies, with validated vulnerabilities responsibly reported to projects. Elastic’s security team quickly deactivated the vulnerable workflow and confirmed no abuse had occurred, said the researchers.
GitHub Workflow Auditor
Tinder Security Labs has open sourced the tool used for the research. GitHub Workflow Auditor checks workflows for unsafe user inputs, malicious commits, and secrets.
Given the limitations of comparable, existing tools, the authors told The Daily Swig that they “focused on covering most vulnerability cases in GitHub Actions as well as efficiency. As such, we allow organizations to scan all of their repositories at once by providing a GitHub API key. This reduces time and effort for security teams”.
The tool also addressed a supply chain risk posed by workflows running actions from old GitHub accounts. “In such cases, attackers can claim the account and push malicious actions allowing them to get access to the repository and its workflows,” the researchers explained. “This specific case was not covered by the tools that we tested.”
They added: “Our goal at Tinder Labs is to identify high impact vulnerabilities in a wide array of technologies which have global impact. As we research other technologies, you can expect to see more findings and tools from us in the future.”
The researchers urged developers to properly sanitize user inputs in GitHub Actions and mitigate attacks by limiting GitHub Tokens’ access scope.
GitHub Security Lab has, meanwhile, previously recommended that pull_request_target only be used when developers “need the privileged context of the target repo” in their workflow.
Tinder Security Labs’ findings follow the disclosure in March of misconfigured GitHub Actions workflows that caused critical flaws in dozens of repos, and a GitHub Actions patch in January for a code review safeguard bypass.
GitHub has not responded to The Daily Swig’s invitation to comment.