Flaws In GitHub Actions Bypass Code Review MechanismAttackers Can Push Code To A Protected Branch
Researchers at Cider Security have uncovered a security loophole in GitHub Actions that allows adversaries to bypass the required reviews mechanism and push non-reviewed code to a protected branch, allowing it into the pipeline to production.
Lead security researcher Omer Gil and his team of researchers at Cider Security, a start-up focusing on continuous integration/continuous delivery security, found the vulnerability as part of their research for novel attacks in DevOps according to a blog post on Medium.
Gil tells Information Security Media Group that required reviews is one of the most widely used security mechanisms in GitHub, and since GitHub Actions is installed by default - nearly any organization is vulnerable to this.
"An attacker compromising a GitHub user account, or simply a developer that wants to bypass this restriction, can simply push code to a protected branch. Since code in protected branches is usually used in production systems by many users or by other systems, the impact is high," Gil notes.
GitHub, a software development and version control platform designed for collaboration, serves millions of users and companies who use it to host their codebases - a collection of source code used to build a particular software system, application, or software component.
A spokesperson for GitHub was not immediately available to share additional details.
GitHub Actions is GitHub's continuous integration/continuous delivery offering, which provides a mechanism to automate, customize and execute software development workflows right in your repository from development to production systems.
Researchers say that GitHub Actions is installed by default on any GitHub organization, and on all of its repositories, and any user who has write permission to push code to the repositories can create a workflow that runs when code is pushed.
"With each workflow run, GitHub creates a unique GitHub token (GITHUB_TOKEN) to use in the workflow to authenticate against the repo. These permissions have a default setting, set in the organization or repository level. This setting allows granting the token with restricted permissions — Read permission on the contents and metadata scopes, or permissive permissions — Read/Write permissions on various scopes, such as contents, packages, and pull requests," the researchers note.
However, any user with write access to a repository can modify the permissions granted to the token and can add or remove access as required by manipulating the permissions key in the workflow file, the researchers note.
If an attacker hijacks a user account, they can push code to a protected branch by creating a pull request with the intent to merge their malicious code to a protected branch.
A Pull request lets users tell others about changes they’ve pushed to a branch in a repository on GitHub. Once a PR is opened, users can discuss and review the potential changes with collaborators and add follow-up commits before their changes are merged into the base branch, explains the GitHub website.
"As the PR is created, it cannot be merged since approval is required. However, the workflow immediately runs and the PR is approved by the github-actions bot, which the GITHUB_TOKEN belongs to. It’s not an organization member, but counts as PR approval, and effectively allows the attacker to approve their own PR, basically bypassing the branch protection rules with the result of pushing code to a protected branch without any other organization member’s approval," the researchers note.
Branch protection rules can be set by organization owners to require pull request approvals before merging, where a user cannot approve their own pull request.
Researchers at Cider Security have produced a proof of concept video sharing details about the hack.
Gil says he has no indication of whether this issue was exploited, but recommends GitHub organization owners disable GitHub Actions if it's not in use. And if it is, then this issue can be solved by requiring the approval of Code Owners, or by requiring two or more approvals to merge a pull request.
Cider Security reported the vulnerability to GitHub’s bug bounty program on Sept. 15, and the firm acknowledged it the same day.
"The issue is not fixed. GitHub said they'll work on fixing it. I believe adversaries can definitely take advantage of this issue in their attempts to reach production systems and expand their hold in their victims' assets," Gil notes.