GitHub Vulnerability “ArtiPACKED” Trigger RCE Exploit to Hack Repositories
- С сайта: Vulnerability(cybersecuritynews.com)
- Вернуться к списку новостей
С сайта: Vulnerability(cybersecuritynews.com)
The research identifies a critical security vulnerability in GitHub Actions artifacts, enabling unauthorized access to tokens and secrets within CI/CD pipelines.
Misconfigured workflows in major organizations’ public repositories exposed sensitive information, potentially compromising cloud environments and allowing attackers to inject malicious code into production systems.
A researcher automated the process of downloading and scanning artifacts from popular open-source projects by analyzing the potential for GitHub Actions artifacts to contain sensitive data like secrets.
.webp)
GitHub Actions artifact.
The investigation revealed a significant security risk, as artifacts from projects maintained by major tech companies and open-source organizations were found to expose secrets, potentially impacting millions of users.
Abusing Leaked GitHub Tokens
It has been discovered that GitHub tokens, particularly GITHUB_TOKEN and ACTIONS_RUNTIME_TOKEN, were inadvertently included in public artifacts due to common workflow practices.
The actions/checkout action persists the GITHUB_TOKEN in the .git directory by default, which is often uploaded as an artifact.
Additionally, the super-linter tool previously logged environment variables, including tokens, to a file that was also included in artifacts, which exposed sensitive tokens to unauthorized access.
.webp)
Example of a Microsoft repository workflow uploading a valid GITHUB_TOKEN in an artifact.
They exploited vulnerabilities in GitHub actions to abuse leaked tokens. By targeting the ephemeral GITHUB_TOKEN and the undocumented ACTIONS_RUNTIME_TOKEN, they developed techniques to extract these tokens from workflow artifacts.
Furthermore, they identified a new attack vector using GitHub’s recently introduced artifact download feature, allowing the extraction and use of GITHUB_TOKEN before its expiration, facilitating unauthorized code pushes to repositories.
.webp)
Attack flow.
While early attempts were thwarted by token expiration, they successfully exploited a workflow with subsequent steps after artifact upload to steal and utilize a valid token, which allowed them to create a branch in the clair project, demonstrating the potential for unauthorized code pushes to open-source repositories through this vulnerability.
.webp)
Creation of branch impala in the “clair” open-source project by Red Hat.
The attacker optimized a previous attack by developing RepoReaper, a GitHub Actions workflow that monitors target repositories for workflow runs and rapidly downloads and extracts leaked tokens from artifacts upon detection, then exploits them to create malicious branches via the GitHub REST API, compromising the target repository.
The approach leverages GitHub’s infrastructure for speed and efficiency, bypassing rate limits and certificate verification for maximum impact.
The researcher at Palo Alto Networks discovered a vulnerability allowing sensitive information leakage through GitHub Actions artifacts, compromising numerous high-profile projects.
#Cyber_Security_Research #Information_Security #Vulnerability #CI/CD_Pipelines #GitHub_Security #remote_code_execution
Оригинальная версия на сайте:
GitHub Vulnerability “ArtiPACKED” Trigger RCE Exploit to Hack Repositories
Author: Balaji NThe research identifies a critical security vulnerability in GitHub Actions artifacts, enabling unauthorized access to tokens and secrets within CI/CD pipelines.
Misconfigured workflows in major organizations’ public repositories exposed sensitive information, potentially compromising cloud environments and allowing attackers to inject malicious code into production systems.
A researcher automated the process of downloading and scanning artifacts from popular open-source projects by analyzing the potential for GitHub Actions artifacts to contain sensitive data like secrets.
GitHub Actions artifact.The investigation revealed a significant security risk, as artifacts from projects maintained by major tech companies and open-source organizations were found to expose secrets, potentially impacting millions of users.
Abusing Leaked GitHub Tokens
It has been discovered that GitHub tokens, particularly GITHUB_TOKEN and ACTIONS_RUNTIME_TOKEN, were inadvertently included in public artifacts due to common workflow practices.
The actions/checkout action persists the GITHUB_TOKEN in the .git directory by default, which is often uploaded as an artifact.
Additionally, the super-linter tool previously logged environment variables, including tokens, to a file that was also included in artifacts, which exposed sensitive tokens to unauthorized access.
Example of a Microsoft repository workflow uploading a valid GITHUB_TOKEN in an artifact.They exploited vulnerabilities in GitHub actions to abuse leaked tokens. By targeting the ephemeral GITHUB_TOKEN and the undocumented ACTIONS_RUNTIME_TOKEN, they developed techniques to extract these tokens from workflow artifacts.
Furthermore, they identified a new attack vector using GitHub’s recently introduced artifact download feature, allowing the extraction and use of GITHUB_TOKEN before its expiration, facilitating unauthorized code pushes to repositories.
Attack flow.While early attempts were thwarted by token expiration, they successfully exploited a workflow with subsequent steps after artifact upload to steal and utilize a valid token, which allowed them to create a branch in the clair project, demonstrating the potential for unauthorized code pushes to open-source repositories through this vulnerability.
Creation of branch impala in the “clair” open-source project by Red Hat.The attacker optimized a previous attack by developing RepoReaper, a GitHub Actions workflow that monitors target repositories for workflow runs and rapidly downloads and extracts leaked tokens from artifacts upon detection, then exploits them to create malicious branches via the GitHub REST API, compromising the target repository.
The approach leverages GitHub’s infrastructure for speed and efficiency, bypassing rate limits and certificate verification for maximum impact.
The researcher at Palo Alto Networks discovered a vulnerability allowing sensitive information leakage through GitHub Actions artifacts, compromising numerous high-profile projects.
#Cyber_Security_Research #Information_Security #Vulnerability #CI/CD_Pipelines #GitHub_Security #remote_code_execution
Оригинальная версия на сайте:
