Skip to content

RCE in Github Actions via Malicious Comment

High
JamesMBartlett published GHSA-f6h3-62c5-x5x8 Jun 12, 2024

Package

actions Pixie perf action (GitHub Actions)

Affected versions

N/A

Patched versions

https://github.com/pixie-io/pixie/commit/7359d40df6272d15b73535df67928e760269390d

Description

Description of Exploit

The workflow configuration for GitHub Actions allows for the execution of arbitrary code by exploiting a race condition between comment-based trigger and code execution. This issue arises from how the input ref is handled.

Configuration in perf_common.yaml

In the perf_common.yaml file, the code is checked out and executed on a specified ref provided as input:

    - uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3  # v3.5.0
      with:
        ref: ${{ inputs.ref }}
    - name: Add pwd to git safe dir
      run: git config --global --add safe.directory `pwd`
    - name: Use GitHub Bazel config
      uses: ./.github/actions/bazelrc
      with:
        BB_API_KEY: ${{ secrets.BB_IO_API_KEY }}

Trigger in perf.yaml

In the perf.yaml file, the pr-perf-eval job triggers the common performance workflow and passes the ref of the pull request head:

  pr-perf-eval:
    name: PR Performance Evaluation
    needs: pr-perf-setup
    if: ${{ needs.pr-perf-setup.outputs.outcome == 'success' }}
    uses: ./.github/workflows/perf_common.yaml
    with:
      suites: ${{ needs.pr-perf-setup.outputs.suites }}
      tags: ${{ needs.pr-perf-setup.outputs.tags }}
      ref: refs/pull/${{ github.event.issue.number }}/head

Exploit Scenario

  1. Initial Comment: An authorized user (e.g., a maintainer) makes a comment that triggers the pr-perf-eval workflow. This comment leads to the retrieval of the ref pointing to the pull request's head.

  2. Race Condition: A malicious actor who has access to the pull request (either as the PR author or a collaborator) pushes a new, malicious commit to the PR branch after the comment is made but before the workflow executes.

  3. Code Execution: When the workflow runs, it checks out the code from the updated ref, which now includes the malicious commit. This malicious code can then execute within the GitHub Actions environment.

Severity

High

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
Low

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L

CVE ID

No known CVE

Weaknesses

Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. Learn more on MITRE.

Credits