logo
allArticlesConferencesPresentations

GitHub Actions: Vulnerabilities, Attacks, and Counter-measures

Conference:  Global AppSec Dublin 2023

2023-02-15

Authors:   Magno Logan

Summary

The presentation discusses the vulnerabilities, attacks, and countermeasures related to GitHub Actions, a continuous integration tool used in DevOps methodology.
  • GitHub Actions automate tasks in software development life cycle
  • The presentation demonstrates the risks of using Runners, the servers provided by GitHub to run Actions
  • Attackers can leverage Runners to mine cryptocurrencies, pivot into other targets, and distribute backdoors into different repositories
  • The problem of third-party dependencies via the GitHub Actions Marketplace is highlighted
  • Creating a fake GitHub Action can make runners act as bots to target other victims and be used in supply-chain attacks
The presenter shares a fun fact that the population of the whole country of Ireland is less than the city of Rio De Janeiro, illustrating the difference in scale between the two regions.

Abstract

More organizations are applying a DevOps methodology to optimize software development. One of the main tools used in this process is a continuous integration (CI) tool that automates code changes from multiple developers working on the same project. In 2019, GitHub released its own CI tool called GitHub Actions. According to GitHub, GitHub Actions help you automate tasks within your software development life cycle, and it has been gaining a lot of adoption from developers. This talk plans to demonstrate how GitHub Actions work and show security measures to protect your Actions from misuse by attackers. First, we'll do a deep dive into the Runners, the servers provided by GitHub to run your Actions, and the risks of using them. Then, we'll show how attackers can leverage these runners to mine cryptocurrencies, pivot into other targets, and more. Lastly, we'll demonstrate how to maliciously distribute backdoors into different repositories via the GitHub Actions Marketplace. This presentation results from detailed research published earlier this year on the topic where the author investigated abuse case scenarios such as how attackers were leveraging this free service to mine cryptocurrencies on their behalf and behalf of other users, among other attack vectors. We'll also demonstrate how to perform interactive commands to the Runner servers via reverse shell, which is technically not allowed via traditional means. Ultimately, we'll show the problem of third-party dependencies via the GitHub Actions Marketplace. By demonstrating how easy it is to create a fake GitHub Action that, if used unwillingly by other projects, can make their runners act as bots to target other victims and even be used in supply-chain attacks by tampering with the result of the pipeline.
Materials:
Slides
Tags:
Github Actions
CI tools
DevOps
cryptocurrency mining
reverse shell

Post a comment

Related work

The GitHub Actions Worm: Compromising GitHub repositories through the Actions dependency tree

Conference:  Defcon 31
Authors: Asi Greenholts Security Researcher at Palo Alto Networks
2023-08-01

Github Actions Security Landscape

Conference:  SupplyChainSecurityCon 2022
Authors: Ronen Slavin, Alex Ilgayev
2022-06-22

Pwning the CI (with GitHub Action Workflows)

Conference:  Cloud Native SecurityCon North America 2022
Authors: Stephen Giguere
2022-10-25

🦝 Secure the Build, Secure the Cloud: Using OIDC Tokens in CI/CD Pipelines

Conference:  KubeCon + CloudNativeCon Europe 2023
Authors: Alex Ilgayev, Elad Pticha
2023-04-21

Securing Self-Hosted GitHub Actions with Kubernetes and Actions-Runner-Controller

Conference:  Cloud Native SecurityCon North America 2023
Authors: Natalie Somersall

Pwning the CI (GitHub Actions Edition)

Conference:  RSA Conference 2023
Authors: Stephen Giguere
2023-04-24