The vulnerability was present in GitHub’s pull request mechanism
A safety vulnerability that allowed attackers to reveal Actions secrets and techniques in GitHub repositories has been patched, and the researcher who found the bug was awarded $25,000.
On March 17, bug bounty hunter and Google worker Teddy Katz printed a write-up of a GitHub vulnerability discovered within the communication system between repositories and the organizations’ workflow automation software program, GitHub Actions.
Tracked as CVE-2021-22862, the safety flaw is described as an improper access control vulnerability that “allowed an authenticated person with the flexibility to fork a repository to reveal Actions secrets and techniques for the mum or dad repository of the fork”.
Katz examined how GitHub manages pull requests. Every pull request is supposed to have a base department (base ref), and that is typically the principle department of a repository.
Pull request creators can set the bottom ref pointer. Nevertheless, the bug bounty hunter realized that it was potential to set branches to commits, and whereas this resulted in errors on account of merge conflicts, GitHub Actions’ permissions mannequin turned the bug into one thing extra critical.
Stealing secrets and techniques
In GitHub Actions, pull requests – used to set off an computerized response – are handled as particular circumstances, however to cease pull request authors from accessing repository secrets and techniques, GitHub implements merge pull request simulations, and Actions workflows are based mostly on the configuration of a pull request’s base department.
No less than, except you flip the bottom ref right into a commit, first.
In response to Katz, this “breaks the GitHub Actions permission mannequin” and bypasses Actions secrets and techniques restrictions.
“For the reason that base department is a part of the bottom repository itself and never a part of a fork, workflows triggered by are trusted and run with entry to secrets and techniques,” the researcher defined.
“We simply created a pull request the place the bottom department is a commit hash, not a department. And anybody can create a brand new commit hash within the base repository, since GitHub shares commits between forks.”
An attacker might fork public repositories that use GitHub Actions, create a pull request, after which set a malicious Actions workflow and individually commit it to a fork – acquiring entry to repository secrets and techniques within the course of.
There are limitations to exploiting the vulnerability. An attacker wants to have the ability to create a fork within the goal repository and GitHub Actions will need to have been utilized by the repository previous to an assault try.
The vulnerability was first disclosed to GitHub’s safety workforce by way of the HackerOne bug bounty platform on February 4, 2021. The problem was triaged and “partially patched” on the identical day by stopping Actions builds from triggering a pull request with a base ref consisting of a 40-character commit hash.
YOU MIGHT ALSO LIKE GitHub Actions platform vulnerable to code injection attacks
Nevertheless, if the bottom ref was set to a shorthash or different symbolic references, the vulnerability was nonetheless exploitable. Katz reported his findings as soon as once more to GitHub and a repair was rolled out a number of hours later to the github.com area.
As well as, on March 2, a repair for the vulnerability was rolled out in GitHub Enterprise Server 3.0.1.
Talking to The Day by day Swig, Katz mentioned that whereas he didn’t make the try himself, he believes a real-world assault “would most likely have been possible to drag off” – though there could also be obstacles resembling abuse detection mechanisms or price limits.
“It might be tough to hide the malware for lengthy – the malicious packages would virtually definitely be unpublished in a matter of hours or days relying on how briskly the maintainers/npm safety workforce have been capable of reply,” Katz mentioned.
“As soon as it was exploited like this, the underlying GitHub vulnerability would most likely have been seen and glued as effectively. This may restrict how many individuals would truly obtain the malware. That mentioned, even having malware in in style packages for a number of hours might nonetheless trigger a variety of injury.”
Katz obtained a $25,000 bug bounty reward for his report.
Greg Ose, director of product safety engineering at GitHub, advised The Day by day Swig: “Every submission to our bug bounty program is an opportunity to make GitHub, our merchandise, and our prospects safer.
“Teddy Katz’s newest findings showcase the creativity and technical data researchers deliver to our program, and why we proceed to have interaction with the safety analysis group.”
In November, Google Challenge Zero researcher Felix Wilhelm disclosed a design flaw in GitHub Actions that could possibly be exploited by attackers to safe write entry to repositories and to unmask encrypted secrets and techniques.