Public secrets exposure leads to supply chain attack on GitHub CodeQL (opens in new tab)

(praetorian.com)

297 pointscyberbender0y ago61 comments

61 comments

An again this would not be so bad an impact if github finally pushed their immutable actions [1]. I sound like a broken record since I keep repeating that this would solve like 70%+ of the scope of attacks on gha today. You would think that the weekly disaster they have would finally make them launch it.

[1] https://github.com/features/preview/immutable-actions

thund0y ago

They probably have good reasons if it's still in preview, that could be serious bugs, security gaps, potential breaking changes that would cause more harm than good if rushed, etc

1oooqooq0y ago

the only reason any company does or don't anything: not required for sales.

in 2019 i saw a fortune500 tech company put in place their own vulnerability scanner internal application which included this feature for our enterprise github repos. the tool was built and deployed to an old Linux docker image that was never updated to not be the target of the attack they were preventing... they never vetted to random version they started with either. i guess one can still use zip bomb or even the xz backdoor for extra irony points when attacking that system.

anyway, the people signing github checks also get promoted by pretending to implement that feature internally.

intelVISA0y ago

Too much stakeholder alignment?

1 more reply

nyrikki0y ago

No mention why this temp token had rights to do things like create a new deployments and generate artifact attestations?

For their fix, they disabled debug logs...but didn't answer if they changed the temp tokens permissions to something more appropriate for a code analysis engine.

declan_roberts0y ago

I think we all know this old story. The engineer building it was getting permission denied so they gave it all the permissions and never came back and right-sized.

setr0y ago

Does any RBAC system actually tell you the missing permissions required to access the object in question? It’s like they’re designed to create this behavior

4 more replies

azemetre0y ago

What's the over/under that said engineer could solve two medium leetcodes in under and hour?

Pathogen-David0y ago

If the GitHub Actions temporary token does not have workflow-defined permissions scope, it defaults either to a permissive or restricted default scope based on the repository's setting. This setting can also be configured at the organization level to restrict all repos owned by the org.

Historically the only choice was permissive by default, so this is unfortunately the setting used by older organizations and repos.

When a new repo is created, the default is inherited from the parent organization, so this insecure default tends to stick around if nobody bothers to change it. (There is no user-wide setting, so new repos owned by a user will use the restricted default. I believe newly created orgs use the better default.)

[0]: https://docs.github.com/en/actions/security-for-github-actio...

beaugunderson0y ago

Temporary action tokens have full write by default; you have to explicitly opt for a read-only version.

    > Read and write permissions
    > Workflows have read and write permissions in the repository for all scopes.

If you read this line of the documentation (https://docs.github.com/en/actions/security-for-github-actio...) you might think otherwise:

    > If the default permissions for the GITHUB_TOKEN are restrictive, you may have to elevate the permissions to allow some actions and commands to run successfully.

But I can confirm that in our GitHub organization "Read and write permissions" was the default, and thus that line of documentation makes no sense.

stogot0y ago

The 2023 Microsoft hack (that CISA completely called them out for poor security) also was similar to this. Their blog post that tried to explain what happened left so many unanswered questions

Elucalidavah0y ago

> For their fix, they disabled debug logs

For their quick fix, hopefully not for their final fix.

arccy0y ago

just goes to show how lax microsoft is about their security. nobody should trust them.

ashishb0y ago

I am getting more and more convinced that CI and CD should be completely separate environments. Compromise of CI should not lead to token leaks related to CD.

mdaniel0y ago

This area is near and dear to my heart, and I would offer that the solution isn't to decouple CD over into its own special little thing but rather to make the CD "multi factor" in that it must be "sub":"repo:octo-org/octo-repo:environment:prod"[1] and feel free to sprinkle in any other [fun claims][] you'd like to harden that system

1: https://docs.github.com/en/actions/security-for-github-actio...

fun claims: https://github.com/github/actions-oidc-debugger#readme

ashishb0y ago

Doable but I would prefer a complete isolation for simplicity.

1 more reply

nrvn0y ago

This is essentially how separation of duties(and concerns) looks like. And this is how some of the good examples of projects work. Specific techniques and tooling and specific boundaries of CI and CD vary depending on the nature of the end product but conceptually you are absolutely right.

junto0y ago

They weren’t kidding on the response time. Very impressive from GitHub.

belter0y ago

Not very impressive to have an exposed public token with full write credentials...

toomuchtodo0y ago

Perfect security does not exist. Their security system (people, tech) operated as expected with an impressive response time. Room for improvement, certainly, but there always is.

Edit: Success is not the absence of vulnerability, but introduction, detection, and response trends.

(Github enterprise comes out of my budget and I am responsible for appsec training and code IR, thoughts and opinions always my own)

3 more replies

1a527dd50y ago

Trying my best not to break the no snark rule [1], but I'm sure your code is 100% bullet proof against all current and future-yet-invented-attacks.

[1] _and failing_.

2 more replies

helsinki0y ago

As someone with the last name Prater—derived from Praetorian—I really wish I owned praetorian.com.

ratg130y ago

You would have had to have this thought prior to the release of the movie “The Net” in 1995

smoyer0y ago

Their gokart project was awesome!

udev40960y ago

Using public github actions is just asking for trouble and more so without analyzing the workflow's procedure. Instead, just host one yourself using woodpecker or countless other great CI builders (circle, travis, gitlab, etc)

ryao0y ago

I put CodeQL in use in OpenZFS PRs. This is not an issue for OpenZFS. None of our code is secret. :)

asmosoinio0y ago

I don't think this is a good take: Even if your code is not secret, the attack could add anything to your code or release artifacts.

Luckily it was quickly remedied at least.

atxtechbro0y ago

Is this fixed?

lsllc0y ago

It's in the article (and the comments here) -- yes, it was remediated within 3 hours of being reported back in January by GitHub.

bloqs0y ago

This sites performance is so bad i can barely scroll

j / k navigate · click thread line to collapse

61 comments

Sytten0y ago

[1] https://github.com/features/preview/immutable-actions

thund0y ago

They probably have good reasons if it's still in preview, that could be serious bugs, security gaps, potential breaking changes that would cause more harm than good if rushed, etc

1oooqooq0y ago

the only reason any company does or don't anything: not required for sales.

anyway, the people signing github checks also get promoted by pretending to implement that feature internally.

intelVISA0y ago

Too much stakeholder alignment?

1 more reply

nyrikki0y ago

No mention why this temp token had rights to do things like create a new deployments and generate artifact attestations?

For their fix, they disabled debug logs...but didn't answer if they changed the temp tokens permissions to something more appropriate for a code analysis engine.

declan_roberts0y ago

I think we all know this old story. The engineer building it was getting permission denied so they gave it all the permissions and never came back and right-sized.

setr0y ago

Does any RBAC system actually tell you the missing permissions required to access the object in question? It’s like they’re designed to create this behavior

4 more replies

azemetre0y ago

What's the over/under that said engineer could solve two medium leetcodes in under and hour?

Pathogen-David0y ago

Historically the only choice was permissive by default, so this is unfortunately the setting used by older organizations and repos.

[0]: https://docs.github.com/en/actions/security-for-github-actio...

beaugunderson0y ago

Temporary action tokens have full write by default; you have to explicitly opt for a read-only version.

    > Read and write permissions
    > Workflows have read and write permissions in the repository for all scopes.

If you read this line of the documentation (https://docs.github.com/en/actions/security-for-github-actio...) you might think otherwise:

    > If the default permissions for the GITHUB_TOKEN are restrictive, you may have to elevate the permissions to allow some actions and commands to run successfully.

But I can confirm that in our GitHub organization "Read and write permissions" was the default, and thus that line of documentation makes no sense.

stogot0y ago

The 2023 Microsoft hack (that CISA completely called them out for poor security) also was similar to this. Their blog post that tried to explain what happened left so many unanswered questions

Elucalidavah0y ago

> For their fix, they disabled debug logs

For their quick fix, hopefully not for their final fix.

arccy0y ago

just goes to show how lax microsoft is about their security. nobody should trust them.

ashishb0y ago

I am getting more and more convinced that CI and CD should be completely separate environments. Compromise of CI should not lead to token leaks related to CD.

mdaniel0y ago

1: https://docs.github.com/en/actions/security-for-github-actio...

fun claims: https://github.com/github/actions-oidc-debugger#readme

ashishb0y ago

Doable but I would prefer a complete isolation for simplicity.

1 more reply

nrvn0y ago

junto0y ago

They weren’t kidding on the response time. Very impressive from GitHub.

belter0y ago

Not very impressive to have an exposed public token with full write credentials...

toomuchtodo0y ago

Perfect security does not exist. Their security system (people, tech) operated as expected with an impressive response time. Room for improvement, certainly, but there always is.

Edit: Success is not the absence of vulnerability, but introduction, detection, and response trends.

(Github enterprise comes out of my budget and I am responsible for appsec training and code IR, thoughts and opinions always my own)

3 more replies

1a527dd50y ago

Trying my best not to break the no snark rule [1], but I'm sure your code is 100% bullet proof against all current and future-yet-invented-attacks.

[1] _and failing_.

2 more replies

helsinki0y ago

As someone with the last name Prater—derived from Praetorian—I really wish I owned praetorian.com.

ratg130y ago

You would have had to have this thought prior to the release of the movie “The Net” in 1995

smoyer0y ago

Their gokart project was awesome!

udev40960y ago

ryao0y ago

I put CodeQL in use in OpenZFS PRs. This is not an issue for OpenZFS. None of our code is secret. :)

asmosoinio0y ago

I don't think this is a good take: Even if your code is not secret, the attack could add anything to your code or release artifacts.

Luckily it was quickly remedied at least.

atxtechbro0y ago

Is this fixed?

lsllc0y ago

It's in the article (and the comments here) -- yes, it was remediated within 3 hours of being reported back in January by GitHub.

bloqs0y ago

This sites performance is so bad i can barely scroll

j / k navigate · click thread line to collapse