Tenable Analysis discovered a distant code execution vulnerability in a Microsoft GitHub repository. The flaw affected workflow automation within the Home windows-driver-samples repository.
The difficulty uncovered a path to unauthorised code execution and entry to repository secrets and techniques by means of GitHub Actions, the automation system utilized in software program growth pipelines.
With 5,000 forks and seven,700 stars, the repository is a visual mission for builders and researchers. Tenable stated its staff confirmed how the workflow might be abused to compromise a part of the software program provide chain tied to the repository.
The way it labored
In response to the researchers, the weak spot stemmed from a Python string injection flaw in an automatic workflow. An attacker might open a GitHub subject, place malicious Python code within the subject description, and depend on the workflow to run that code robotically when the problem was created.
That might give the attacker execution inside the GitHub runner utilized by the repository. The identical route might additionally expose the GITHUB_TOKEN and different secrets and techniques configured for the mission.
The token is used to carry out actions on a repository. As a result of the repository predates 2023, and since the token permits at the very least subject creation with out specific permissions being set within the workflow, the researchers inferred that it was doubtless working with default learn and write entry.
In apply, that would let an unauthorised person perform actions within the repository with Microsoft-level privileges tied to the token, together with creating points or altering repository content material.
Pipeline threat
The discovering highlights part of cyber threat that always sits behind customer-facing merchandise. Steady integration and steady supply pipelines are used to check, construct, and publish code, however additionally they course of exterior enter and maintain delicate credentials, making them enticing targets.
Safety researchers have more and more targeted on these growth techniques as a result of a profitable compromise can have an effect on not just one software but in addition the code and updates distributed to downstream customers. On this case, a easy subject submission by any registered GitHub person might have triggered the susceptible workflow.
That ease of exploitation is prone to concern safety groups reviewing their use of automation in open repositories. Workflows that reply to public-facing actions reminiscent of points, pull requests, or feedback can create openings if person enter will not be safely dealt with earlier than scripts are executed.
Rémy Marot, Workers Analysis Engineer at Tenable, framed the problem as a part of a broader safety downside in software program growth environments.
“The CI/CD infrastructure is a part of an organisation’s assault floor and software program provide chain,” Marot stated.
“With out sturdy safeguards, a vulnerability in a pipeline may be exploited to set off large-scale provide chain assaults and have important impacts on downstream techniques and customers,” he added.
Controls urged
Tenable urged organisations to deal with CI/CD techniques as important infrastructure moderately than background tooling. It referred to as for tighter controls round supply code safety and construct integrity in automated workflows.
The corporate additionally urged growth groups to evaluate token permissions explicitly as an alternative of counting on inherited defaults. Proscribing the GITHUB_TOKEN to the minimal entry wanted is a typical defence towards abuse when a workflow is compromised.
Common audits of automated workflows are additionally wanted, particularly the place jobs are triggered by content material equipped by exterior customers. Enter dealing with, permissions, and secret publicity stay central areas for evaluate in GitHub Actions and comparable techniques.
The case underlines a wider problem for corporations that preserve public code repositories whereas counting on automation to handle contributions and mission exercise. Comfort options can cut back guide work for builders, however they’ll additionally widen the assault floor when workflows execute information from untrusted sources.
For Microsoft and different massive software program suppliers, such findings can carry weight past a single repository as a result of growth practices in distinguished public initiatives are sometimes copied by different groups. A flaw in a broadly noticed workflow can subsequently develop into a lesson for the broader software program business as a lot as an issue in a single codebase.
The dimensions of the Home windows-driver-samples repository, with 5,000 forks and seven,700 stars, meant the workflow sat in a mission with vital developer consideration.