Code-Injection Bugs Bite Google, Apache Open Source GitHub Projects

  /     /     /  
Publicated : 23/11/2024   Category : security


Code-Injection Bugs Bite Google, Apache Open Source GitHub Projects


The insecurities exist in CI/CD pipelines and can be used by attackers to subvert modern development and roll out malicious code at deployment.



A pair of security vulnerabilities discovered in the GitHub environments of two very popular open source projects from Apache and Google could be used to stealthily modify project source code, steal secrets, and move laterally inside an organization.
The issues are 
continuous integration/continuous delivery (CI/CD) flaws
that could threaten many more open source projects around the world, according to researchers at Legit Security, who found them affecting a Google Firebase project and a popular integration framework project run by Apache.
Researchers dubbed the vulnerability pattern GitHub Environment Injection. It allows attackers to take control of a vulnerable projects GitHub Actions pipeline by creating a specially crafted payload written to a GitHub environment variable called GITHUB_ENV. 
Specifically, the issue exists in the way GitHub shares environment variables in the build machine, which can be manipulated to extract information, including the repository ownership credentials.
The concept is that the build action itself trusts the code that is submitted for review in a way that you dont need anybody to review it, explains Liav Caspi, CTO and co-founder of Legit Security. The mere fact that somebody makes a contribution tricks the build system into executing something about the code. There is a kind of automated test that runs, and you can make the test execute whatever you put there.
He adds: The problem there is that anybody that makes a contribution could trigger that without the need for somebody to review it. So, thats very powerful.
According to Caspi, his team found the flaws as a part of an
ongoing investigation into CI/CD pipelines
. With a surge in SolarWinds-style supply chain flaws, theyd particularly been seeking out weaknesses in the GitHub ecosystem, since its one of the most popular source code management (SCM) systems in the open source world and in enterprise development — and thus a natural vehicle for injecting vulnerabilities into software supply chains. 
He explains that these flaws manifest both a design weakness in the way that the
GitHub platform
is designed and how different open source projects and enterprises use the platform.
You could potentially write a very safe build script if you are super aware of the risks and circumvent a lot of risky operations, he explains. But I think nobody is really aware of that, and there are a couple of mechanisms within GitHub Actions that are very dangerous that are used in everyday build operations.
He says that enterprise development teams should always assume zero trust with GitHub Action and other build systems.
They should assume that the components theyre using to build — whether it is a build plug-in or anything submitted to them — that an attacker could leverage that, he says. And then they should isolate the environment and also review code in a way that it doesnt execute code submitted for you.
As Caspi explains, these flaws illustrate not only that the open source project itself a potential vector for supply chain vulnerabilities, but so is the code that makes up the CI/CD pipeline and its integration.
Both bugs have been patched.

Last News

▸ Website hacks happened during World Cup final. ◂
Discovered: 23/12/2024
Category: security

▸ Criminal Possession of Government-Grade Stealth Malware ◂
Discovered: 23/12/2024
Category: security

▸ Senate wants changes to cybercrime law. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Code-Injection Bugs Bite Google, Apache Open Source GitHub Projects