Connect with us

Hi, what are you looking for?

Hard News Hard Hitting News Source Global Political News

Cyber Security

GitHub Actions workflow flaws provided write access to projects including Logstash

Security researchers have identified multiple workflows in popular continuous integration and development (CI/CD) service GitHub Actions that are vulnerable to command execution.

A research team from dating platform Tinder crafted an automation script that unearthed flaws that enabled the exfiltration of secrets that provide write access to various open source GitHub repositories, including Elastic’s Logstash.

blog post documenting the findings was penned by Rojan Rijal, Johnny Nipper, and Tanner Emek – respectively red teamer, senior product security manager, and engineering manager at Tinder.

The trio told The Daily Swig that “in the worst case scenario, you can exploit a vulnerable workflow to retrieve the GITHUB_TOKEN value”, which has read/write access to the repository by default. “This can be used to push a malicious build against users and perform supply chain related exploits.”

If more sensitive access secrets within the workflow such as AWS credentials, API Keys, or service credentials were exposed, “this could lead to a compromise of a company’s infrastructure”, they added.

The most common cause of vulnerabilities was unsafe user inputs in run scripts. The researchers also found many examples where pull_request_target was misused, which among other things could bypass a 2019 fix for an issue related to the use of event handlers in forked repositories.

The research focused on projects with vulnerability disclosure policies, with validated vulnerabilities responsibly reported to projects. Elastic’s security team quickly deactivated the vulnerable workflow and confirmed no abuse had occurred, said the researchers.

GitHub Workflow Auditor

Tinder Security Labs has open sourced the tool used for the research. GitHub Workflow Auditor checks workflows for unsafe user inputs, malicious commits, and secrets.

Given the limitations of comparable, existing tools, the authors told The Daily Swig that they “focused on covering most vulnerability cases in GitHub Actions as well as efficiency. As such, we allow organizations to scan all of their repositories at once by providing a GitHub API key. This reduces time and effort for security teams”.

The tool also addressed a supply chain risk posed by workflows running actions from old GitHub accounts. “In such cases, attackers can claim the account and push malicious actions allowing them to get access to the repository and its workflows,” the researchers explained. “This specific case was not covered by the tools that we tested.”

They added: “Our goal at Tinder Labs is to identify high impact vulnerabilities in a wide array of technologies which have global impact. As we research other technologies, you can expect to see more findings and tools from us in the future.”

Mitigations

The researchers urged developers to properly sanitize user inputs in GitHub Actions and mitigate attacks by limiting GitHub Tokens’ access scope.

GitHub Security Lab has, meanwhile, previously recommended that pull_request_target only be used when developers “need the privileged context of the target repo” in their workflow.

Tinder Security Labs’ findings follow the disclosure in March of misconfigured GitHub Actions workflows that caused critical flaws in dozens of repos, and a GitHub Actions patch in January for a code review safeguard bypass.

GitHub has not responded to The Daily Swig’s invitation to comment.

Advertisement. Scroll to continue reading.

Source: https://portswigger.net/daily-swig/github-actions-workflow-flaws-provided-write-access-to-projects-including-logstash

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

You May Also Like

Cyber Security

The cybercrime group evaded remediation efforts by installing persistent backdoors and deploying “new and novel malware.” A Chinese-linked hacking group that security researchers say...

Cyber Security

The administration and its private sector partners announced a slate of new initiatives on Monday aimed at protecting the nation’s school systems and their...

Cyber Security

The plan includes measures for improving cybersecurity knowledge at all levels of education and improving how the federal government attracts, hires and pays cybersecurity...

Cyber Security

Using a vulnerability in MOVEit Transfer, hackers gained access to 8 to 11 million individuals’ ‘Users Data’ protected health information. Maximus, a US government contracting...

Copyright © 2023 Hard News Herd Hitting in Your Face News Source | World News | Breaking News | US News | Political News Website by Top Search SEO