The vulnerability was found in GitHub’s pull request mechanism

GitHub awards bug bounty hunter $25,000 for Actions secrets theft report

A security vulnerability that allowed attackers to disclose Actions secrets in GitHub repositories has been patched, and the researcher who discovered the bug was awarded $25,000.

On March 17, bug bounty hunter and Google employee Teddy Katz published a write-up of a GitHub vulnerability found in the communication system between repositories and the organizations’ workflow automation software, GitHub Actions.

Tracked as CVE-2021-22862, the security flaw is described as an improper access control vulnerability that “allowed an authenticated user with the ability to fork a repository to disclose Actions secrets for the parent repository of the fork”.

RELATED GitHub releases post-mortem on race condition vulnerability that forced global user sign-out

Katz examined how GitHub manages pull requests. Each pull request is meant to have a base branch (base ref), and this is often the main branch of a repository.

Pull request creators can set the base ref pointer. However, the bug bounty hunter realized that it was possible to set branches to commits, and while this resulted in errors due to merge conflicts, GitHub Actions’ permissions model turned the bug into something more serious.

Stealing secrets

In GitHub Actions, pull requests – used to trigger an automatic response – are treated as special cases, but to stop pull request authors from accessing repository secrets, GitHub implements merge pull request simulations, and Actions workflows are based on the configuration of a pull request’s base branch.

At least, unless you turn the base ref into a commit, first.

According to Katz, this “breaks the GitHub Actions permission model” and bypasses Actions secrets restrictions.

“Since the base branch is part of the base repository itself and not part of a fork, workflows triggered by pull_request_target are trusted and run with access to secrets,” the researcher explained.

“We just created a pull request where the base branch is a commit hash, not a branch. And anyone can create a new commit hash in the base repository, since GitHub shares commits between forks.”

An attacker could fork public repositories that use GitHub Actions, create a pull request, and then set a malicious Actions workflow and separately commit it to a fork – obtaining access to repository secrets in the process.

Exploit caveats

There are limitations to exploiting the vulnerability. An attacker needs to be able to create a fork in the target repository and GitHub Actions must have been used by the repository prior to an attack attempt.

The vulnerability was first disclosed to GitHub’s security team via the HackerOne bug bounty platform on February 4, 2021. The issue was triaged and “partially patched” on the same day by preventing Actions builds from triggering a pull request with a base ref consisting of a 40-character commit hash.

YOU MIGHT ALSO LIKE GitHub Actions platform vulnerable to code injection attacks

However, if the base ref was set to a shorthash or other symbolic references, the vulnerability was still exploitable. Katz reported his findings once again to GitHub and a fix was rolled out several hours later to the domain.

In addition, on March 2, a fix for the vulnerability was rolled out in GitHub Enterprise Server 3.0.1.

Real-world impact

Speaking to The Daily Swig, Katz said that while he did not make the attempt himself, he believes a real-world attack “would probably have been feasible to pull off” – although there may be obstacles such as abuse detection mechanisms or rate limits.

“It would be difficult to conceal the malware for long – the malicious packages would almost certainly be unpublished in a matter of hours or days depending on how fast the maintainers/npm security team were able to respond,” Katz said.

“Once it was exploited like this, the underlying GitHub vulnerability would probably have been noticed and fixed as well. This would limit how many people would actually download the malware. That said, even having malware in popular packages for a few hours could still cause a lot of damage.”

Read more of the latest bug bounty news from around the world

Katz received a $25,000 bug bounty reward for his report.

Greg Ose, director of product security engineering at GitHub, told The Daily Swig: “Each submission to our bug bounty program is a chance to make GitHub, our products, and our customers more secure.

“Teddy Katz’s latest findings showcase the creativity and technical knowledge researchers bring to our program, and why we continue to engage with the security research community.”

In November, Google Project Zero researcher Felix Wilhelm disclosed a design flaw in GitHub Actions that could be exploited by attackers to secure write access to repositories and to unmask encrypted secrets.

RECOMMENDED GE patches serious vulnerabilities in UR power management devices