GitHub Vulnerability Exposes Major Tech Projects to Security Risks

By Riley ThompsonTechnology News

GitHub Vulnerability Exposes Major Tech Projects to Security Risks

August 15, 2024

Palo Alto Networks has discovered vulnerabilities in the CI/CD processes of several well-known open-source projects, including those developed by Google, Microsoft, AWS, and Red Hat. The issue is related to the leakage of GitHub tokens, which can be used for unauthorized access to private repositories, theft of source code, or injection of malicious software.

These tokens end up in artifacts due to a combination of factors: unsafe default settings, user configuration errors, and insufficient security checks during the setup of GitHub workflows. A key element of the problem is the widely used “actions/checkout” feature in GitHub workflows, which clones the repository code and makes it available for workflow execution.

How GitHub Actions Artifacts Cause Token Leaks

By default, the “actions/checkout” feature saves the token in the local .git directory. If this directory is accidentally uploaded as an artifact, the token becomes accessible to outsiders. Additionally, the directory may contain other sensitive data, such as API keys and cloud service access tokens.

The problem is made worse by the fact that artifacts generated during CI/CD processes—such as build and test results—can be stored and accessed for up to three months. Another risk comes from environment variables used in CI/CD pipelines to store GitHub tokens. These variables can accidentally be written to logs, making them accessible through artifacts.

If attackers gain access to leaked tokens, they can exploit various race condition scenarios, trying to extract and use the tokens before they expire. GitHub tokens are valid for the duration of the workflow, and their usability depends on the specific case. For example, the “Actions_Runtime_Token” used by GitHub for managing caching and artifacts is typically active for six hours, limiting the attack window.

Attack Chain and Affected Projects

Palo Alto Networks identified token leaks in 14 major open-source projects and notified the developers. Affected projects include Firebase (Google), OpenSearch Security (AWS), Clair (Red Hat), JSON Schemas (Microsoft), and others.

Recommendations for GitHub Users

  • Review your CI/CD process settings and avoid uploading entire directories as artifacts.
  • Clean logs and regularly audit workflow configurations.
  • Set the minimum necessary permissions for tokens to reduce risks in case of a leak.
  • Change default settings for actions like “actions/checkout” to prevent saving tokens and other sensitive data.

Although Palo Alto Networks identified these issues, the main problems remain unresolved, as GitHub has chosen not to address the risk directly, placing the responsibility for artifact security on users. Given the situation, GitHub users need to be aware of the risks, assess their own vulnerabilities, and take proactive steps to prevent future leaks.

Leave a Reply