Posted by EditorDavid from the continuous-delivery dept.
Security Week brings news about CI/CD workflows using GitHub Actions in build processes. Some workflows can generate artifacts that “may inadvertently leak tokens for third party cloud services and GitHub, exposing repositories and services to compromise, Palo Alto Networks warns.” [The artifacts] function as a mechanism for persisting and sharing data across jobs within the workflow and ensure that data is available even after the workflow finishes. [The artifacts] are stored for up to 90 days and, in open source projects, are publicly available… The identified issue, a combination of misconfigurations and security defects, allows anyone with read access to a repository to consume the leaked tokens, and threat actors could exploit it to push malicious code or steal secrets from the repository. “It’s important to note that these tokens weren’t part of the repository code but were only found in repository-produced artifacts,” Palo Alto Networks’ Yaron Avital explains…
“The Super-Linter log file is often uploaded as a build artifact for reasons like debuggability and maintenance. But this practice exposed sensitive tokens of the repository.” Super-Linter has been updated and no longer prints environment variables to log files.
Avital was able to identify a leaked token that, unlike the GitHub token, would not expire as soon as the workflow job ends, and automated the process that downloads an artifact, extracts the token, and uses it to replace the artifact with a malicious one. Because subsequent workflow jobs would often use previously uploaded artifacts, an attacker could use this process to achieve remote code execution (RCE) on the job runner that uses the malicious artifact, potentially compromising workstations, Avital notes.
Avital’s blog post notes other variations on the attack — and “The research laid out here allowed me to compromise dozens of projects maintained by well-known organizations, including firebase-js-sdk by Google, a JavaScript package directly referenced by 1.6 million public projects, according to GitHub. Another high-profile project involved adsys, a tool included in the Ubuntu distribution used by corporations for integration with Active Directory.” (Avital says the issue even impacted projects from Microsoft, Red Hat, and AWS.) “All open-source projects I approached with this issue cooperated swiftly and patched their code. Some offered bounties and cool swag.”
“This research was reported to GitHub’s bug bounty program. They categorized the issue as informational, placing the onus on users to secure their uploaded artifacts.” My aim in this article is to highlight the potential for unintentionally exposing sensitive information through artifacts in GitHub Actions workflows. To address the concern, I developed a proof of concept (PoC) custom action that safeguards against such leaks. The action uses the @actions/artifact package, which is also used by the upload-artifact GitHub action, adding a crucial security layer by using an open-source scanner to audit the source directory for secrets and blocking the artifact upload when risk of accidental secret exposure exists. This approach promotes a more secure workflow environment…
As this research shows, we have a gap in the current security conversation regarding artifact scanning. GitHub’s deprecation of Artifacts V3 should prompt organizations using the artifacts mechanism to reevaluate the way they use it. Security defenders must adopt a holistic approach, meticulously scrutinizing every stage — from code to production — for potential vulnerabilities. Overlooked elements like build artifacts often become prime targets for attackers. Reduce workflow permissions of runner tokens according to least privilege and review artifact creation in your CI/CD pipelines. By implementing a proactive and vigilant approach to security, defenders can significantly strengthen their project’s security posture.
The blog post also notes protection and mitigation features from Palo Alto Networks….
The IBM purchase of ROLM gives new meaning to the term “twisted pair”. — Howard Anderson, “Yankee Group”
Working…
