Cyber Security

GitHub Actions flaw that allowed code to be approved without review is addressed

Tighter controls have been introduced to resolve a weakness in GitHub Actions that made it possible to circumvent code review safeguards.

Omer Gil and colleagues from security start-up Cider Security discovered the code review bypass risk was present even for organizations that had not enabled the recently introduced GitHub Actions feature.

Gil previously told The Daily Swig: “Required reviews is one of the most widely used security mechanisms in GitHub, and since GitHub Actions is installed by default nearly any organization is vulnerable to this.”

GitHub Actions – GitHub’s continuous integration (CI) service – offers a mechanism to build and run software development workflows all the way from development to production systems.

In a blog post on Medium, Cider Security explained how authorization bypass weaknesses make it potentially possible for either a rogue developer or attackers to self-approve pull requests, opening the door to planting malicious software into the tributaries that feed production software.

An attacker would only need to compromise a single user account before attempting an attack, which relies on editing the permissions key in the workflow file.

Cider Security was cleared to publish its take on the vulnerability last October, weeks before GitHub closed the loophole.

Repo man

As explained in a blog post this week, GitHub has introduced a new policy setting that allows system administrators to control whether GitHub Actions can approve pull requests.

“This protects against a user using Actions to satisfy the ‘required approvals’ branch protection requirement and merging a change that was not reviewed by another user,” GitHub explains.

“To prevent breaking existing workflows, ‘Allow GitHub Actions reviews to count towards required approval’ is enabled by default. However, an organization admin can disable it under the organization’s Actions settings,” the tech firm added.

The Daily Swig invited GitHub to comment on this issue but we’re yet to hear back. Cider Security has updated its blog post.

Cider Security said: “We recommend you to use this new setting to disallow malicious actors from bypassing branch protection rules by approving their own pull requests.”

“We recommend you to use this new setting to disallow malicious actors from bypassing branch protection rules by approving their own pull requests,” it concluded. We’ll update this story as and when more information comes to hand.

Attacking the fastest path to production

Cider Security encountered the flaw while researching novel CI/CD attack vectors.

“GitHub paid for this bug shortly after it was reported,” Gil told The Daily Swig. “Their bug bounty program is great – they respond fast and to the point.”

Advertisement. Scroll to continue reading.

“GitHub accepted the issue, however they said it would take some time to mitigate, so they allowed to disclose it in the meanwhile,” Gil added.

Gil told The Daily Swig that the flaw was of a type the industry as a whole is likely to receive more focus of in future.

“Adversaries today know that the fastest path to production goes through the CI/CD, and they take advantage of it,” Gil warned. “Sophisticated attack paths and actual breaches in these areas are already seen frequently, and I’m sure this will increase.”

Source: https://portswigger.net/daily-swig/github-actions-flaw-that-allowed-code-to-be-approved-without-review-is-addressed

Click to comment

You May Also Like

Cyber Security

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has given federal agencies three weeks to secure Adobe ColdFusion servers on their networks against two...

Cyber Security

Businesses and developers are focusing more on the security of applications in their digital environment as cyber threats and data breaches continue escalating. The...

Cyber Security

A North Korea based threat actor targeting personal accounts of technology firms through low-profile social engineering attempts. This campaign utilizes a combination of repository...

Cyber Security

HCL BigFix is an endpoint management platform that has the capability to automate discovery, management, and remediation. It can find and fix vulnerabilities on...

Copyright © 2023 Newsworthy News | Global | Political | Local | All News | Website By: Top Search SEO

Exit mobile version