Coordinated Disclosure Timeline
- 2024-10-10: Reported through GitHub’s Private Vulnerability Reporting (PVR).
- 2024-11-24: GHSL-2024-274 fix.
- 2024-12-16: GHSL-2024-275 fix.
Summary
Cilium push-chart-ci.yaml and build-images-base.yaml workflows are vulnerable to script injection.
Project
Cilium
Tested Version
Latest commit at the time of reporting.
Details
Issue 1: Code injection in push-chart-ci.yaml (GHSL-2024-274)
The push-chart-ci.yaml workflow uses a branch name from a fork in unsafe manner:
echo ref="${{ github.event.workflow_run.head_branch }}" >> $GITHUB_OUTPUT
The branch name is user controlled and may contain double quotes.
Impact
An attacker may inject arbitrary bash commands. The workflow runs with read only permissions, however, it reads the QUAY_CHARTS_DEV_PASSWORD and QUAY_CHARTS_DEV_USERNAME secrets and therefore the attacker-controlled code will be able to dump the runner’s memory and exfiltrate these secrets.
Resources
Steps to reproduce
- Fork the
cilium/ciliumrepo. - Create a new branch in the fork and name it
";fi;fi;echo${IFS}`id`;#. - In the branch modify the workflow
Hot Fix Image Release Buildas below:
name: Hot Fix Image Release Build
on:
pull_request:
jobs:
build:
runs-on: ubuntu-latest
steps:
- run: echo "ok"
- Create a Pull Request from the branch to
cilium/ciliumrepo. - Watch the
Hot Fix Image Release BuildandChart CI Pushrunning. - Watch the output of the
Get triggering event refstep. It will contain the output ofidcommand:uid=1001(runner) gid=127(docker) groups=127(docker),4(adm),101(systemd-journal)
Issue 2: Code injection in build-images-base.yaml (GHSL-2024-275)
The build-images-base.yaml is a workflow that runs on workflow_call or pull_request_target events. The workflow runs on pull request only if anything is changed under images/runtime/** or images/builder/** paths.
on:
pull_request_target:
types:
- opened
- synchronize
- reopened
paths:
- images/runtime/**
- images/builder/**
# This workflow can be reused so that renovate can execute this workflow_dispatch:
# run from a different environment than 'release-base-images'. See
# build-images-base-renovate.yaml
workflow_call:
...
In case of pull request a malicious user controls the value of github.event.pull_request.head.ref that is set in the last step of the build-and-push job to the rev environment variable. Later the untrusted ref value is consumed by using script interpolation, which allows for bash script injection.
- name: Push changes into PR
env:
ref: ${{ github.event.pull_request.head.ref || github.ref }}
repository: ${{ github.event.pull_request.head.repo.full_name || github.repository }}
if: ${{ steps.cilium-runtime-tag-in-repositories.outputs.exists == 'false' || steps.cilium-builder-tag-in-repositories.outputs.exists == 'false' }}
run: |
git diff HEAD^
git push https://x-access-token:${{ steps.get_token.outputs.app_token }}@github.com/${{ env.repository }}.git HEAD:${{ env.ref }}
Impact
The workflow has access to QUAY_BASE_RELEASE_USERNAME, QUAY_BASE_RELEASE_PASSWORD, AUTO_COMMITTER_PEM and secrets.AUTO_COMMITTER_APP_ID secrets that can be stolen and runs with the following permissions that may be potentially used to compromise docker images from other runs:
permissions:
# To be able to access the repository with `actions/checkout`
contents: read
# Required to generate OIDC tokens for `sigstore/cosign-installer` authentication
id-token: write
Resources
Steps to reproduce
- Fork the
cilium/ciliumrepo. - Create a new branch in the fork and name it
main";`id`. - In the branch modify the anything under
images/runtime/**orimages/builder/**paths. - Create a Pull Request from the branch to
cilium/ciliumrepo. - Watch the
build-images-base.yamlrunning. - Watch the output of the
Push changes into PRstep. It will contain the output ofidcommand:uid=1001(runner) gid=127(docker) groups=127(docker),4(adm),101(systemd-journal)
Credit
These issues were discovered and reported by GHSL team member @JarLob (Jaroslav Lobačevski).
Contact
You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2024-274 or GHSL-2024-275 in any communication regarding these issues.