Tenable Analysis discovered a distant code execution vulnerability in a Microsoft GitHub repository. The flaw affected workflow automation within the Home windows-driver-samples repository.
The problem uncovered a path to unauthorised code execution and entry to repository secrets and techniques via GitHub Actions, the automation system utilized in software program growth pipelines.
With 5,000 forks and seven,700 stars, the repository is a visual venture for builders and researchers. Tenable mentioned its workforce confirmed how the workflow could possibly be abused to compromise a part of the software program provide chain tied to the repository.
The way it labored
In response to the researchers, the weak spot stemmed from a Python string injection flaw in an automatic workflow. An attacker may open a GitHub concern, place malicious Python code within the concern description, and depend on the workflow to run that code mechanically when the difficulty was created.
That will give the attacker execution inside the GitHub runner utilized by the repository. The identical route may additionally expose the GITHUB_TOKEN and different secrets and techniques configured for the venture.
The token is used to carry out actions on a repository. As a result of the repository predates 2023, and since the token permits at the least concern creation with out specific permissions being set within the workflow, the researchers inferred that it was seemingly working with default learn and write entry.
In apply, that would let an unauthorised person perform actions within the repository with Microsoft-level privileges tied to the token, together with creating points or altering repository content material.
Pipeline danger
The discovering highlights part of cyber danger that usually sits behind customer-facing merchandise. Steady integration and steady supply pipelines are used to check, construct, and publish code, however additionally they course of exterior enter and maintain delicate credentials, making them enticing targets.
Safety researchers have more and more centered on these growth programs as a result of a profitable compromise can have an effect on not just one utility but additionally the code and updates distributed to downstream customers. On this case, a easy concern submission by any registered GitHub person may have triggered the susceptible workflow.
That ease of exploitation is prone to concern safety groups reviewing their use of automation in open repositories. Workflows that reply to public-facing actions equivalent to points, pull requests, or feedback can create openings if person enter will not be safely dealt with earlier than scripts are executed.
Rémy Marot, Employees Analysis Engineer at Tenable, framed the difficulty as a part of a broader safety drawback in software program growth environments.
“The CI/CD infrastructure is a part of an organisation’s assault floor and software program provide chain,” Marot mentioned.
“With out robust safeguards, a vulnerability in a pipeline will be exploited to set off large-scale provide chain assaults and have vital impacts on downstream programs and customers,” he added.
Controls urged
Tenable urged organisations to deal with CI/CD programs as vital infrastructure somewhat than background tooling. It known as for tighter controls round supply code safety and construct integrity in automated workflows.
The corporate additionally urged growth groups to assessment token permissions explicitly as an alternative of counting on inherited defaults. Proscribing the GITHUB_TOKEN to the minimal entry wanted is a normal defence in opposition to abuse when a workflow is compromised.
Common audits of automated workflows are additionally wanted, particularly the place jobs are triggered by content material equipped by exterior customers. Enter dealing with, permissions, and secret publicity stay central areas for assessment in GitHub Actions and related programs.
The case underlines a wider problem for firms that keep public code repositories whereas counting on automation to handle contributions and venture exercise. Comfort options can cut back handbook work for builders, however they’ll additionally widen the assault floor when workflows execute information from untrusted sources.
For Microsoft and different massive software program suppliers, such findings can carry weight past a single repository as a result of growth practices in distinguished public tasks are sometimes copied by different groups. A flaw in a broadly noticed workflow can subsequently change into a lesson for the broader software program trade as a lot as an issue in a single codebase.
The dimensions of the Home windows-driver-samples repository, with 5,000 forks and seven,700 stars, meant the workflow sat in a venture with important developer consideration.