Merge Requests and Insecure GitHub Workflows may lead to Supply-Chain Attacks

[upnorth]

Content source

https://www.theregister.com/2022/09/01/google_firebase_apache_camel_github/

Security researchers at Legit Security identified vulnerabilities in the GitHub automated workflows used by Google Firebase and Apache Camel that could have been abused to compromise those open-source projects through their GitHub CI/CD pipeline and insert malicious code.

The Israel-based security shop called the exploitation technique "GitHub Environment Injection." It's a way to exploit the platform's automated integration and build process by injecting a malicious payload into a GitHub environment variable called GITHUB_ENV. Legit Security claims a rogue or compromised developer could have used this technique to alter the source code for Firebase or Apache Camel and, among other things, conducted a supply-chain attack on users of that code. Malicious code that made it into the project may have ended up being deployed by organizations.

"Any GitHub user could exploit this flaw by forking the original repository, creating the malicious payload and then merging it back to the original repository," explained Liav Caspi, CTO of Legit, in an email to The Register. "That’s all that is required to trigger the flaw and take over a vulnerable pipeline." Caspi said this is the standard workflow for a contributor to an open-source project. "What is especially dangerous with this vulnerability is that it is triggered before the maintainer gets the chance to review the change, and [the maintainer] does not need to accept it for the vulnerability to take place," said Caspi.

How to perform a supply-chain attack on a GitHub project

Starting with Google Firebase and Apache Camel repos

www.theregister.com