Coordinated Disclosure Timeline
- 2024-10-10: Reported through GitHub’s Private Vulnerability Reporting (PVR).
- 2024-11-24: GHSL-2024-274 fix.
- 2024-12-16: GHSL-2024-275 fix.
Summary
Cilium push-chart-ci.yaml
and build-images-base.yaml
workflows are vulnerable to script injection.
Project
Cilium
Tested Version
Latest commit at the time of reporting.
Details
Issue 1: Code injection in push-chart-ci.yaml
(GHSL-2024-274
)
The push-chart-ci.yaml
workflow uses a branch name from a fork in unsafe manner:
echo ref="${{ github.event.workflow_run.head_branch }}" >> $GITHUB_OUTPUT
The branch name is user controlled and may contain double quotes.
Impact
An attacker may inject arbitrary bash commands. The workflow runs with read only permissions, however, it reads the QUAY_CHARTS_DEV_PASSWORD
and QUAY_CHARTS_DEV_USERNAME
secrets and therefore the attacker-controlled code will be able to dump the runner’s memory and exfiltrate these secrets.
Resources
Steps to reproduce
- Fork the
cilium/cilium
repo. - Create a new branch in the fork and name it
";fi;fi;echo${IFS}`id`;#
. - In the branch modify the workflow
Hot Fix Image Release Build
as below:
name: Hot Fix Image Release Build
on:
pull_request:
jobs:
build:
runs-on: ubuntu-latest
steps:
- run: echo "ok"
- Create a Pull Request from the branch to
cilium/cilium
repo. - Watch the
Hot Fix Image Release Build
andChart CI Push
running. - Watch the output of the
Get triggering event ref
step. It will contain the output ofid
command:uid=1001(runner) gid=127(docker) groups=127(docker),4(adm),101(systemd-journal)
Issue 2: Code injection in build-images-base.yaml (GHSL-2024-275
)
The build-images-base.yaml
is a workflow that runs on workflow_call
or pull_request_target
events. The workflow runs on pull request only if anything is changed under images/runtime/**
or images/builder/**
paths.
on:
pull_request_target:
types:
- opened
- synchronize
- reopened
paths:
- images/runtime/**
- images/builder/**
# This workflow can be reused so that renovate can execute this workflow_dispatch:
# run from a different environment than 'release-base-images'. See
# build-images-base-renovate.yaml
workflow_call:
...
In case of pull request a malicious user controls the value of github.event.pull_request.head.ref
that is set in the last step of the build-and-push
job to the rev
environment variable. Later the untrusted ref
value is consumed by using script interpolation, which allows for bash script injection.
- name: Push changes into PR
env:
ref: ${{ github.event.pull_request.head.ref || github.ref }}
repository: ${{ github.event.pull_request.head.repo.full_name || github.repository }}
if: ${{ steps.cilium-runtime-tag-in-repositories.outputs.exists == 'false' || steps.cilium-builder-tag-in-repositories.outputs.exists == 'false' }}
run: |
git diff HEAD^
git push https://x-access-token:${{ steps.get_token.outputs.app_token }}@github.com/${{ env.repository }}.git HEAD:${{ env.ref }}
Impact
The workflow has access to QUAY_BASE_RELEASE_USERNAME
, QUAY_BASE_RELEASE_PASSWORD
, AUTO_COMMITTER_PEM
and secrets.AUTO_COMMITTER_APP_ID
secrets that can be stolen and runs with the following permissions that may be potentially used to compromise docker images from other runs:
permissions:
# To be able to access the repository with `actions/checkout`
contents: read
# Required to generate OIDC tokens for `sigstore/cosign-installer` authentication
id-token: write
Resources
Steps to reproduce
- Fork the
cilium/cilium
repo. - Create a new branch in the fork and name it
main";`id`
. - In the branch modify the anything under
images/runtime/**
orimages/builder/**
paths. - Create a Pull Request from the branch to
cilium/cilium
repo. - Watch the
build-images-base.yaml
running. - Watch the output of the
Push changes into PR
step. It will contain the output ofid
command:uid=1001(runner) gid=127(docker) groups=127(docker),4(adm),101(systemd-journal)
Credit
These issues were discovered and reported by GHSL team member @JarLob (Jaroslav Lobačevski).
Contact
You can contact the GHSL team at securitylab@github.com
, please include a reference to GHSL-2024-274
or GHSL-2024-275
in any communication regarding these issues.