Security researchers at Palo Alto Networks have discovered vulnerabilities in the CII/CD processes of several well-known open projects, including developments from Google, Microsoft, AWS, and Red Hat. The issue stems from github-tokens leakage, which can lead to unauthorized access to private repositories, theft of source code, or the introduction of malicious software.
These tokens end up in artifacts due to unsafe default settings, user configuration errors, and inadequate security checks during the setup of work processes in GitHub. One key factor in the problem lies in the “Actions/Checkout” function within GitHub work processes, which exposes the repository code for use in processes.
The issue is exacerbated by the fact that artifacts created during the CI/CD process, such as build and test results, can be stored and accessible for up to 3 months. Additionally, sensitive data like API keys and cloud service access can also be stored in these artifacts, increasing the risk of exposure.
If these artifacts contain the Github token, attackers can carry out various attack scenarios to extract and use the tokens before they expire. Different tokens have varying lifespans, with some like the “Action_runtime_token” being active for 6 hours, limiting the window for attack.
Palo Alto Networks identified 14 major open-source projects where token leaks occurred and notified the developers, including projects like Firebase (Google), Opensearch Security (AWS), Clair (Red Hat), and Json Schemas (Microsoft).
GitHub users are advised to review their CI/CD process settings, refrain from including entire directories in artifacts, clear logs regularly, and conduct routine configuration checks. It is crucial to assign the minimum necessary access rights to tokens to mitigate risks in the event of a leak.