Unresolved GitHub Actions flaw allows code to be approved without review
13 October 2021 at 15:47 UTC
Updated: 13 October 2021 at 15:52 UTC
Mitigations are available for yet-to-be-fixed vulnerability
A security loophole in GitHub Actions allows software code to be automatically passed without any peer or supervisor review.
The vulnerability, discovered by security researcher Omer Gil and colleagues from security startup Cider Security, circumvents security controls and exists even in the installations of organizations that have not enabled the recently introduced feature.
The team from Cider Security – a startup focused on CI/CD (continuous integration/continuous delivery) security – uncovered the issue in GitHub during research into novel attack vectors in the arena of DevOps.
Gil told The Daily Swig: “Required reviews is one of the most widely used security mechanisms in GitHub, and since GitHub Actions is installed by default nearly any organization is vulnerable to this.”
In a blog post on Medium, Cider Security explained how the shortcoming clears the way for a rogue developer or attackers with access to a single compromised account to push malicious code into production software by circumventing a process that would normally mandate independent checks:
“A newly discovered security flaw in GitHub allows leveraging GitHub Actions to bypass the required reviews mechanism and push unreviewed code to a protected branch, potentially allowing malicious code to be used by other users or flow down the pipeline to production.”
GitHub Actions – GitHub’s CI service – offers a mechanism to build and run workflows from development to production systems. The technology is installed by default on all software repositories of organizations that use GitHub’s software development platform to manage projects.
Even those with only user privileges can change workflows, therefore admin privileges are not needed to push potentially malicious code through the software process without review.
“Anyone with write access to a repository can modify the permissions granted to the GITHUB_TOKEN, adding or removing access as required, by editing the permissions key in the workflow file,” Cider Security explains.
These changes have a big effect when pull requests are made.
“As the PR is created, it cannot be merged since approval is required. However, the workflow immediately runs and the PR is approved by the GitHub-actions bot, which the GITHUB_TOKEN belongs to,” Cider Security explains.
“It’s not an organization member, but counts as PR approval, and effectively allows the attacker to approve their own PR, basically bypassing the branch protection rules.”
Cider Security has produced a video (via YouTube) illustrating the hack.
Cider House Rules
Remediation aimed at resolving the problem is ongoing and the issue is not yet fully fixed.
“GitHub’s response was standard for a bug report – I reported it through their bug bounty program, they acknowledged it, and said they’d work on a fix,” Gil said. “I asked to disclose it, and they approved.”
The Daily Swig approached GitHub’s press team for comment on the issue. We’re yet to hear back but we’ll update this story as soon as more information comes to hand.
In the absence of any specific advice to date from GitHub, Cider Security has come up with a list of potential mitigations. Organizations should consider disabling GitHub Actions across their whole enterprise or for specific (more sensitive) repositories.
Where GitHub Actions is in use, mitigation is still possible by making changes to ensure that two code approvals are needed, for example.
YOU MAY ALSO LIKE Apache HTTP Server update fails to squash path traversal, RCE bugs