Continuous integration and continuous shipping (CI/CD) misconfigurations uncovered in the open-resource TensorFlow device mastering framework could have been exploited to orchestrate source chain attacks.
The misconfigurations could be abused by an attacker to “perform a source chain compromise of TensorFlow releases on GitHub and PyPi by compromising TensorFlow’s develop brokers by means of a destructive pull ask for,” Praetorian scientists Adnan Khan and John Stawinski said in a report posted this 7 days.
Thriving exploitation of these issues could permit an external attacker to add destructive releases to the GitHub repository, achieve distant code execution on the self-hosted GitHub runner, and even retrieve a GitHub Personalized Accessibility Token (PAT) for the tensorflow-jenkins person.
TensorFlow utilizes GitHub Steps to automate the program make, take a look at, and deployment pipeline. Runners, which refer to equipment that execute employment in a GitHub Steps workflow, can be possibly self-hosted or hosted by GitHub.
“We suggest that you only use self-hosted runners with personal repositories,” GitHub notes in its documentation. “This is due to the fact forks of your public repository can most likely run dangerous code on your self-hosted runner device by building a pull ask for that executes the code in a workflow.”
Put differently, this makes it possible for any contributor to execute arbitrary code on the self-hosted runner by publishing a malicious pull ask for.
This, nonetheless, does not pose any security problem with GitHub-hosted runners, as every runner is ephemeral and is a clean, isolated digital equipment that’s destroyed at the end of the task execution.
Praetorian said it was able to identify TensorFlow workflows that had been executed on self-hosted runners, subsequently getting fork pull requests from prior contributors that immediately brought on the appropriate CI/CD workflows with no demanding acceptance.
An adversary wanting to trojanize a target repository could, consequently, correct a typo or make a smaller but legit code improve, create a pull ask for for it, and then wait until eventually the pull request is merged in get to become a contributor. This would then permit them to execute code on the runner sans increasing any crimson flag by creating a rogue pull ask for.
Further examination of the workflow logs revealed that the self-hosted runner was not only non-ephemeral (consequently opening the door for persistence), but also that the GITHUB_TOKEN permissions linked with the workflow came with extensive create permissions.
“For the reason that the GITHUB_TOKEN had the Contents:write permission, it could add releases to https://github[.]com/tensorflow/tensorflow/releases/,” the researchers said. “An attacker that compromised one particular of these `GITHUB_TOKEN’s could insert their have files to the Launch Property.”
On top rated of that, the contents:write permissions could be weaponized to drive code specifically to the TensorFlow repository by covertly injecting the malicious code into a aspect branch and acquiring it merged into the main branch.
That’s not all. A menace actor could steal the AWS_PYPI_ACCOUNT_TOKEN utilised in the launch workflow to authenticate to the Python Bundle Index (PyPI) registry and upload a destructive Python .whl file, correctly poisoning the offer.
“An attacker could also use the GITHUB_TOKEN’s permissions to compromise the JENKINS_TOKEN repository solution, even however this secret was not utilised within just workflows that ran on the self-hosted runners,” the researchers mentioned.
Adhering to accountable disclosure on August 1, 2023, the shortcomings had been tackled by the venture maintainers as of December 20, 2023, by demanding acceptance for workflows submitted from all fork pull requests and by modifying the GITHUB_TOKEN permissions to read through-only for workflows that ran on self-hosted runners.
“Equivalent CI/CD attacks are on the increase as more businesses automate their CI/CD procedures,” the researchers said.
“AI/ML corporations are specifically vulnerable as many of their workflows demand significant compute electrical power that is just not offered in GitHub-hosted runners, so the prevalence of self-hosted runners.”
The disclosure comes as both scientists revealed that various general public GitHub repositories, including those involved with Chia Networks, Microsoft DeepSpeed, and PyTorch, are prone to destructive code injection by means of self-hosted GitHub Actions runners.
Identified this article attention-grabbing? Comply with us on Twitter and LinkedIn to go through a lot more special content material we submit.
Some parts of this article are sourced from:
thehackernews.com