How to perform a supply chain attack on a GitHub project • The Register

Security researchers from Legit Security identified vulnerabilities in the automated GitHub workflows used by Google Firebase and Apache Camel that could be exploited to compromise and inject malicious code into these open source projects via their GitHub CI/CD pipeline.

The Israel-based security store called the exploit technique “GitHub Environment Injection”. It’s a way to exploit the platform’s automated integration and build process by placing a malicious payload in a GitHub environment variable named GITHUB_ENV.

Legit Security claims that a rogue or compromised developer could have used this technique to modify the source code for Firebase or Apache Camel and, among other things, perform a supply chain attack on users of that code. Malicious code that made it into the project may have been deployed by organizations. To be clear, the problem here is that the Firebase and Apache Camel repositories had poorly secured GitHub workflow pipelines that could be exploited by someone using Legit’s environment injection technique to log into get involved in these projects.

“Any GitHub user could exploit this flaw by forking the original repository, creating the malicious payload, and then merging it back into the original repository,” Legit CTO Liav Caspi explained in an email to The registry. “That’s all that is required to trigger the bug and take over a vulnerable pipeline.”

Caspi said this is the standard workflow for a contributor to an open source project. “What is particularly dangerous about this vulnerability is that it triggers before the maintainer has a chance to verify the change, and [the maintainer] doesn’t have to accept it for the vulnerability to occur,” Caspi said.

According to Caspi, no special privileges are required to perform this type of attack. “Any authenticated GitHub user could benefit from this,” he explained.

“An initial contribution by the user requires general approval from the maintainer, but any subsequent contribution by the contributor could exploit the vulnerability.”

We were told that the code in question does not necessarily need to be merged. It is the merge request that allows the attacker to compromise the repo by exposing an access token that allows for future abuse.

Legit Security said that both Google and the maintainers of the Apache project have been notified of the vulnerability and have patched the issue in their repositories. Google did not respond to a request for comment.

“The ASF security team has confirmed that the Camel GitHub repository was affected,” said a spokesman for the Apache Software Foundation The registry in an email. “The issue was reported to ASF on April 4, 2022 and resolved on April 5.

“It wasn’t a bug in Apache Camel, but an issue with a configuration/script file used by a GitHub workflow. No CVE is issued because there was no security vulnerability in a software product created by ASF and made available for download for ASF users.”

Caspi expressed concern that while Google and Apache have made repairs, other software projects are likely vulnerable. We believe more details on these bugs will be announced this week to help maintainers; we will let you know when that happens.

“We believe many more problems will be found in the future,” he said. “CI/CD systems are complex and evolving rapidly, and CI/CD vendors need to do more to close the security gap. The main problem is that build systems trust the code they create by default, and attackers have learned how to inject content that exploits this default trust to compromise the build process. This is an attack pattern that we are seeing more and more often.” ®

https://www.theregister.com/2022/09/01/google_firebase_apache_camel_github/ How to perform a supply chain attack on a GitHub project • The Register

Laura Coffey

World Time Todays is an automatic aggregator of the all world’s media. In each content, the hyperlink to the primary source is specified. All trademarks belong to their rightful owners, all materials to their authors. If you are the owner of the content and do not want us to publish your materials, please contact us by email – admin@worldtimetodays.com. The content will be deleted within 24 hours.

Related Articles

Back to top button