A security vulnerability in GitHub Actions has compromised several notable open-source projects maintained by companies like Google, Microsoft, AWS, and Red Hat. The flaw has led to the exposure of authentication tokens through CI/CD workflow artifacts, potentially allowing unauthorized access to private repositories and the insertion of malicious code.
GitHub Actions is a continuous integration and continuous delivery (CI/CD) platform integrated with GitHub. Launched in 2018, it allows you to automate your build, test, and deployment pipeline directly within your GitHub repository.
Discovery and Response
Palo Alto Networks’ Unit 42 identified the issue, discovering that these tokens were unintentionally becoming public. Despite the gravity of the situation, GitHub has decided not to rectify the underlying problem. Instead, they have recommended users take steps to secure their workflow artifacts. Repository administrators are now being advised to evaluate their vulnerabilities and take preventative actions to avoid future leaks.
Unit 42’s investigation highlighted several issues, including insecure default configurations and user errors. One primary issue involves the ‘actions/checkout’ feature, which defaults to storing the GitHub token in the local .git directory. If this directory is included in artifact uploads, the token becomes exposed.
Other sensitive information, such as API keys and cloud access tokens, might also be leaked through these artifacts. Build outputs and test results, stored for up to 90 days, can be accessed by anyone with read permissions to the repository.
CI/CD pipelines that store GitHub tokens in environment variables are similarly vulnerable. If actions or scripts within the workflow log these environment variables, they can be unintentionally exposed. For instance, enabling the ‘CREATE_LOG_FILE’ property in the ‘super-linter’ action can log these variables.
Exploitation and Recommendations
Token exposure risks can be actualized by extracting these credentials from log files and using them before they expire. GitHub tokens are valid for the duration of their workflow jobs, while the ‘Actions_Runtime_Token,’ used for caching and artifact management, remains valid for six hours. The exploitation window depends on the specific token type involved.
Leaked tokens can also enable unauthorized access to cloud infrastructures, raising further security concerns. The research showed that these tokens included access to third-party cloud services, not just GitHub. Artifactual data, containing these tokens, were found to be publicly accessible for up to three months. Malicious actors could automate the retrieval of artifacts, extract tokens, and use them to push malicious code to repositories.
Proof of Concept and Community Response
Researchers showcased the vulnerability by creating a branch in an open-source project, demonstrating the potential for remote code execution (RCE) on the runner handling the malicious artifact. They also developed a proof of concept (PoC) action to audit the source directory for secrets, blocking artifact uploads if any secret exposure risk was detected.
GitHub’s bug bounty program received the findings, but classified the issue as informational, suggesting that users bear the responsibility to secure uploaded artifacts. The insights were shared with Cyber Threat Alliance (CTA) to allow members to deploy protective measures and thwart potential cyber threats.
Last Updated on November 7, 2024 3:17 pm CET