John Leyden 19 January 2022 at 16:30 UTC
Uncheck risky setting option offered
Tighter controls have been introduced to resolve a weakness in GitHub Actions that made it possible to circumvent code review safeguards.
Omer Gil and colleagues from security start-up Cider Security discovered the code review bypass risk was present even for organizations that had not enabled the recently introduced GitHub Actions feature.
Gil previously told The Daily Swig: “Required reviews is one of the most widely used security mechanisms in GitHub, and since GitHub Actions is installed by default nearly any organization is vulnerable to this.”
GitHub Actions – GitHub’s continuous integration (CI) service – offers a mechanism to build and run software development workflows all the way from development to production systems.
In a blog post on Medium, Cider Security explained how authorization bypass weaknesses make it potentially possible for either a rogue developer or attackers to self-approve pull requests, opening the door to planting malicious software into the tributaries that feed production software.
An attacker would only need to compromise a single user account before attempting an attack, which relies on editing the permissions key in the workflow file.
Cider Security was cleared to publish its take on the vulnerability last October, weeks before GitHub closed the loophole.
As explained in a blog post this week, GitHub has introduced a new policy setting that allows system administrators to control whether GitHub Actions can approve pull requests.
“This protects against a user using Actions to satisfy the ‘required approvals’ branch protection requirement and merging a change that was not reviewed by another user,” GitHub explains.
“To prevent breaking existing workflows, ‘Allow GitHub Actions reviews to count towards required approval’ is enabled by default. However, an organization admin can disable it under the organization's Actions settings,” the tech firm added.
The Daily Swig invited GitHub to comment on this issue but we’re yet to hear back. Cider Security has updated its blog post.
Cider Security said: “We recommend you to use this new setting to disallow malicious actors from bypassing branch protection rules by approving their own pull requests.”
“We recommend you to use this new setting to disallow malicious actors from bypassing branch protection rules by approving their own pull requests,” it concluded. We’ll update this story as and when more information comes to hand.
Attacking the fastest path to production
Cider Security encountered the flaw while researching novel CI/CD attack vectors.
“GitHub paid for this bug shortly after it was reported,” Gil told The Daily Swig. “Their bug bounty program is great - they respond fast and to the point.”
“GitHub accepted the issue, however they said it would take some time to mitigate, so they allowed to disclose it in the meanwhile,” Gil added.
Gil told The Daily Swig that the flaw was of a type the industry as a whole is likely to receive more focus of in future.
“Adversaries today know that the fastest path to production goes through the CI/CD, and they take advantage of it,” Gil warned. “Sophisticated attack paths and actual breaches in these areas are already seen frequently, and I'm sure this will increase.”