Merge requests and insecure GitHub workflows may lead to supply-chain attacks
Starting with Google Firebase and Apache Camel repos
Security researchers at Legit Security identified vulnerabilities in the GitHub automated workflows used by Google Firebase and Apache Camel that could have been abused to compromise those open-source projects through their GitHub CI/CD pipeline and insert malicious code.
The Israel-based security shop called the exploitation technique "GitHub Environment Injection." It's a way to exploit the platform's automated integration and build process by injecting a malicious payload into a GitHub environment variable called GITHUB_ENV.
Legit Security claims a rogue or compromised developer could have used this technique to alter the source code for Firebase or Apache Camel and, among other things, conducted a supply-chain attack on users of that code. Malicious code that made it into the project may have ended up being deployed by organizations.
To be clear, the issue here is that the Firebase and Apache Camel repositories had poorly secured GitHub workflow pipelines, which could have been exploited by someone using Legit's environment injection technique to meddle with those projects.
"Any GitHub user could exploit this flaw by forking the original repository, creating the malicious payload and then merging it back to the original repository," explained Liav Caspi, CTO of Legit, in an email to The Register. "That’s all that is required to trigger the flaw and take over a vulnerable pipeline."
Caspi said this is the standard workflow for a contributor to an open-source project. "What is especially dangerous with this vulnerability is that it is triggered before the maintainer gets the chance to review the change, and [the maintainer] does not need to accept it for the vulnerability to take place," said Caspi.
According to Caspi, no special privileges are required to conduct this type of attack. "Any authenticated GitHub user could take advantage of this," he explained.
"A first contribution by the user needs a general approval by the maintainer, but any following contribution by the contributor can take advantage of the vulnerability."
We're told that the code at issue doesn't necessarily have to merge. It's the merge request that allows the attacker to compromise the repo by exposing an access token that enables future abuse.
- For a few days earlier this year, rogue GitHub apps could have hijacked countless repos
- Apache says Struts 2 security bug wasn't fully fixed in 2020
- Patch Tuesday: Yet another Microsoft RCE bug under active exploit
- Zlib crash-an-app bug finally squashed, 17 years later
Legit Security said both Google and the Apache project maintainers were informed of the vulnerability and each has addressed the problem in their repositories. Google did not respond to a request for comment.
"The ASF Security Team confirms that it was the Camel GitHub repository that was affected," an Apache Software Foundation spokesperson told The Register in an email. "The issue was reported to the ASF on 4th April, 2022 and fixed on 5th April.
"It was not a bug in Apache Camel but an issue with a configuration/script file used by a GitHub workflow. No CVE will be issued as there was no security vulnerability in a software product created by the ASF and made available for download to ASF users."
Caspi expressed concern that while Google and Apache have made repairs, other software projects are likely to be vulnerable.
Details on these flaws were today shared here for developers wishing to shore up their GitHub workflows.
"We believe many more issues will be found in the future," Caspi said.
"CI/CD systems are complex and evolve rapidly, and CI/CD vendors will need to do more to close the security gap. The main problem is that build systems trust the code they build by default, and attackers have learned ways to inject content that exploits this default trust to compromise the build process. This is an attack pattern we are seeing more and more." ®