Insecurities in CI/CD pipelines exist, and attackers might take use of them to undermine contemporary development and install malicious code. Two security flaws were found in the GitHub environments of two highly well-known open source projects from Google and Apache that might be used to slyly alter the project’s source code, steal information, and move around an organisation.
Researchers from Legit Security discovered the holes affecting a Google Firebase project and a well-known integration framework project run by Apache. They are continuous integration/continuous delivery (CI/CD) flaws that potentially endanger many more open source projects worldwide.
The vulnerability pattern was given the name “GitHub Environment Injection” by researchers. By writing a specially crafted payload to a GitHub environment variable called “GITHUB ENV,” it enables attackers to take over a vulnerable project’s GitHub Actions pipeline.
The problem is specifically with the manner that GitHub distributes environment variables in the build machine, which can be used to extract data, including the repository ownership credentials.
Caspi claims that his team discovered the issues as part of an ongoing inquiry into CI/CD processes. They had been specifically looking for vulnerabilities in the GitHub ecosystem because it is one of the most widely used source code management (SCM) systems in the open source and enterprise development worlds, making it a natural vehicle for injecting vulnerabilities into software supply chains. This was due to an increase in SolarWinds-style supply chain flaws. He says that these vulnerabilities are a result of the GitHub platform’s design flaws as well as how various open source projects and businesses use the site.
“You could potentially write a very safe build script if you are super aware of the risks and circumvent a lot of risky operations,” he explains. “But I think nobody is really aware of that, and there are a couple of mechanisms within GitHub Actions that are very dangerous that are used in everyday build operations.”
He claims that while using GitHub Action and other build tools, enterprise development teams should always assume they can’t be trusted.
“They should assume that the components they’re using to build — whether it is a build plug-in or anything submitted to them — that an attacker could leverage that,” he says. “And then they should isolate the environment and also review code in a way that it doesn’t execute code submitted for you.”
According to Caspi, these issues demonstrate that the code that makes up the CI/CD pipeline and its integration, as well as the open source project itself, is a possible vector for supply chain vulnerabilities. The two bugs have both been fixed.
