Security researchers at Legit Security identified vulnerabilities in the GitHub automated workflows used by Google Firebase and Apache Camel that could have been exploited to compromise those open source projects through their GitHub CI/CD pipeline and insert malicious code.
The Israel-based security retailer called the exploit technique “GitHub Environment Injection”. It’s a way to leverage the platform’s automated integration and build process by injecting a malicious payload into a GitHub environment variable called GITHUB_ENV.
Legit Security claims that a rogue or compromised developer could have used this technique to modify the source code for Firebase or Apache Camel and, among other things, carried out a supply chain attack on users of that code. Malicious code that got into the project may have been deployed by organizations.
To be clear, the problem here is that the Firebase and Apache Camel repositories had poorly secured GitHub workflow pipelines, which could have been exploited by someone using Legit’s environment injection technique to interfere with those projects.
“Any GitHub user could exploit this flaw by forking the original repository, creating the malicious payload, and then merging it back into the original repository,” explains Liav Caspi, CTO of Legit, in an email to The register. “That’s all it takes to trigger the flaw and take over a vulnerable pipeline.”
Caspi said this is the default workflow for a contributor to an open source project. “What’s especially dangerous about this vulnerability is that it fires before the administrator has a chance to review the change, and [the maintainer] doesn’t have to accept it for the vulnerability to take place,” Caspi said.
According to Caspi, no special privileges are required to perform this type of attack. “Any verified GitHub user could benefit from this,” he explained.
“An initial user contribution requires general admin approval, but any subsequent contribution from the contributor can take advantage of the vulnerability.”
We are told that the code in question does not necessarily have to merge. It is the merge request that allows the attacker to compromise the repository by exposing an access token that allows future exploits.
Legit Security said both Google and the Apache project administrators were aware of the vulnerability and each has addressed the issue in their repositories. Google did not respond to a request for comment.
“The ASF security team confirms that it was the Camel GitHub repository that was affected,” an Apache Software Foundation spokesperson said. The register in an email. “The issue was reported to the ASF on April 4, 2022 and resolved on April 5.
“It was not a bug in Apache Camel, but a problem with a configuration/script file used by a GitHub workflow. No CVE is issued because there was no security vulnerability in a software product made and made available by the ASF to download for ASF users.”
Caspi expressed concern that while Google and Apache have made repairs, other software projects are likely to be vulnerable.
Details about these errors were shared here today for developers looking to bolster their GitHub workflows.
“We think many more problems will be found in the future,” Caspi said.
“CI/CD systems are complex and evolving rapidly, and CI/CD vendors will need to do more to close the security gap. The biggest problem is that build systems trust the code they build by default, and attackers have learned ways to injecting content that abuses this default trust to compromise the build process, which is an attack pattern we’re seeing more and more.” ®