Researchers have discovered an attack vector that affected GitHub Open Source Projects Owned by Google, Microsoft, Amazon Web Services and others, executed by abusing artifacts generated as part of software development workflows.
Researchers from Palo Alto Networks’ Unit 42 discovered the attack, which according to a blog post published yesterday by lead researcher Yaron Avital. A compromise in these projects “could potentially have impacted millions of their consumers.”
Other companies whose projects were affected by the attack vector, which abuses so-called GitHub Actions artifacts, include Canonical (Ubuntu), the OWASP Foundation and Red Hat. The vector causes the artifacts to leak tokens from both third-party cloud services and GitHub tokens, making them available to anyone with “read access” to the repository, Avital wrote.
“This allows malicious actors with access to these artifacts to compromise the services that these secrets provide access to,” he explained. The most common leak detected was the leak of GitHub tokens, “which allows an attacker to counteract the triggering GitHub repository,” added Avital.
The disclosure could ultimately have enabled attackers to deploy malicious code via the Continuous integration and continuous delivery/provisioning (CI/CD) pipelineor to access secrets stored in the GitHub repository and GitHub organization, he explained.
Unit 42 worked with all companies and operators of the affected projects and “received great support from all teams” so that all discoveries could be contained “quickly and efficiently,” Avital wrote. However, other unknown private and public projects could also be exposed to the attack.
Poisoning the development cycle
CI/CD environments, processes and systems are an essential part of modern software development in the process of building, testing and pushing code to production. However, they provide a golden opportunity for attackers as they use highly sensitive credentials to authenticate to various types of services, which “poses a significant challenge in maintaining a high level of credential hygiene,” Avital wrote.
The discovered attack focuses on GitHub Actions, which are workflow build artifacts that allow developers to store and share data across jobs within the same workflow. “These artifacts can be any files generated during your build process, such as compiled code, test reports, or deployment packages,” Avital explained.
Artifacts ensure that critical data is not lost after a workflow completes and is accessible for later analysis or deployment. This is “especially useful for sharing test results or deployment packages between dependent jobs,” Avital noted.
GitHub Actions workflows often use secrets to interact with different Cloud services and with GitHub itself. These secrets, in turn, include the ephemeral, automatically generated GitHub token that is used to perform actions on the repository.
“Actions’ build artifacts are outputs generated by executing workflows. Once created, they are stored for up to 90 days,” Avital explained. “In open source projects, these artifacts are publicly available and anyone can use them.”
The attack flow he discovered allows attackers to download the publicly available artifact, extract the token, and push malicious code into an open source project’s repository. The code then becomes part of the project and could thus be executed as part of a software or service that end users ultimately access.
Unit 42’s contribution included a list GitHub Open source projects known to be affected by the attack vector.
A holistic defence approach is required
GitHub has become a prime target for threat actors because of its attractiveness in accessing countless software and services with just a few lines of code. in repositories.
The new attack vector shows that “we have a gap in the current security discussion regarding artifact scanning.” on GitHub, Avital wrote, meaning that organizations that use the artifacts mechanism “should reevaluate the way they use it.”
He also recommended that defenders take a holistic approach to software development, examining each stage (from code to production) for potential vulnerabilities. “Overlooked elements such as build artifacts often become prime targets for attackers,” Avital wrote.
Organizations should also reduce the workflow permissions of runner tokens according to the principle of least privilege and audit artifact creation in their CI/CD pipelines as part of a proactive and vigilant security approach to strengthen the security posture of development projects, he noted.
