Steady integration and steady supply (CI/CD) misconfigurations found within the open-source TensorFlow machine studying framework might have been exploited to orchestrate provide chain assaults.
The misconfigurations could possibly be abused by an attacker to “conduct a provide chain compromise of TensorFlow releases on GitHub and PyPi by compromising TensorFlow’s construct brokers through a malicious pull request,” Praetorian researchers Adnan Khan and John Stawinski mentioned in a report printed this week.
Profitable exploitation of those points might allow an exterior attacker to add malicious releases to the GitHub repository, acquire distant code execution on the self-hosted GitHub runner, and even retrieve a GitHub Private Entry Token (PAT) for the tensorflow-jenkins person.
TensorFlow makes use of GitHub Actions to automate the software program construct, take a look at, and deployment pipeline. Runners, which check with machines that execute jobs in a GitHub Actions workflow, will be both self-hosted or hosted by GitHub.
“We advocate that you simply solely use self-hosted runners with personal repositories,” GitHub notes in its documentation. “It’s because forks of your public repository can doubtlessly run harmful code in your self-hosted runner machine by making a pull request that executes the code in a workflow.”
Put otherwise, this permits any contributor to execute arbitrary code on the self-hosted runner by submitting a malicious pull request.
This, nevertheless, doesn’t pose any safety concern with GitHub-hosted runners, as every runner is ephemeral and is a clear, remoted digital machine that is destroyed on the finish of the job execution.
Praetorian mentioned it was capable of establish TensorFlow workflows that have been executed on self-hosted runners, subsequently discovering fork pull requests from earlier contributors that mechanically triggered the suitable CI/CD workflows with out requiring approval.
An adversary seeking to trojanize a goal repository might, due to this fact, repair a typo or make a small however authentic code change, create a pull request for it, after which wait till the pull request is merged with a purpose to turn into a contributor. This might then allow them to execute code on the runner sans elevating any crimson flag by making a rogue pull request.
Additional examination of the workflow logs revealed that the self-hosted runner was not solely non-ephemeral (thus opening the door for persistence), but in addition that the GITHUB_TOKEN permissions related to the workflow got here with in depth write permissions.
“As a result of the GITHUB_TOKEN had the Contents:write permission, it might add releases to https://github[.]com/tensorflow/tensorflow/releases/,” the researchers mentioned. “An attacker that compromised one among these `GITHUB_TOKEN’s might add their very own information to the Launch Belongings.”
On prime of that, the contents:write permissions could possibly be weaponized to push code on to the TensorFlow repository by covertly injecting the malicious code right into a function department and getting it merged into the principle department.
That is not all. A risk actor might steal the AWS_PYPI_ACCOUNT_TOKEN used within the launch workflow to authenticate to the Python Package deal Index (PyPI) registry and add a malicious Python .whl file, successfully poisoning the package deal.
“An attacker might additionally use the GITHUB_TOKEN’s permissions to compromise the JENKINS_TOKEN repository secret, despite the fact that this secret was not used inside workflows that ran on the self-hosted runners,” the researchers mentioned.
Following accountable disclosure on August 1, 2023, the shortcomings have been addressed by the undertaking maintainers as of December 20, 2023, by requiring approval for workflows submitted from all fork pull requests and by altering the GITHUB_TOKEN permissions to read-only for workflows that ran on self-hosted runners.
“Related CI/CD assaults are on the rise as extra organizations automate their CI/CD processes,” the researchers mentioned.
“AI/ML firms are notably weak as lots of their workflows require vital compute energy that is not obtainable in GitHub-hosted runners, thus the prevalence of self-hosted runners.”
The disclosure comes as each researchers revealed that a number of public GitHub repositories, together with these related to Chia Networks, Microsoft DeepSpeed, and PyTorch, are prone to malicious code injection through self-hosted GitHub Actions runners.
