Discover how GitHub Actions artifacts leak sensitive authentication tokens, exposing popular open-source projects to security risks. Learn about the ArtiPACKED vulnerability, how it works, and steps to protect your projects from potential attacks.
Palo Alto Networks’ Unit 42 has discovered a critical security vulnerability within GitHub Actions. This vulnerability, dubbed “ArtiPACKED,” allows attackers to steal sensitive information potentially, including GitHub authentication tokens, from popular open-source projects.
For your information, GitHub Actions uses workflow build artifacts like compiled code, test reports, and deployment packages to prevent data loss and promote efficient execution within the GitHub Actions environment. The vulnerability lies within the way GitHub Actions handles artifacts during the CI/CD (Continuous Integration/Continuous Delivery) workflow. Artifacts can be generated at various points in the pipeline, including build outputs and test results, and the way these are generated and stored can create security risks, such as the following scenarios.
Insecure Default Settings:
The actions/checkout action, commonly used to clone the repository code for the workflow, by default stores the GitHub token in the local, hidden “.git” directory but if the entire checkout directory is mistakenly uploaded as an artifact, the token becomes exposed to anyone with read access to the repository.
Accidental Uploads:
Uploading the entire checkout directory, which includes the “.git” folder with the token, inadvertently exposes the token within the artifact.
Environment Variable Leaks:
CI/CD pipelines often use environment variables to store sensitive data like tokens. If these variables are accidentally or intentionally logged during the workflow execution, they are uploaded as artifacts, potentially revealing the tokens.
These issues create a situation where attackers can potentially find and exploit leaked tokens within artifacts and exploit them by targeting specific scenarios with “race conditions” to extract short-lived tokens from logs before they expire. The tokens’ exploitation effectiveness varies depending on the type of token.
For instance, Actions_Runtime_Token, used internally by GitHub for managing artifacts, is typically valid for just six hours whereas Custom tokens, including API keys or access tokens for cloud services, can have varying lifespans from several minutes to forever.
Moreover, attackers could use automated scripts to identify projects using GitHub Actions and then scan for vulnerabilities that might lead to artifact generation. These scripts could then download the artifacts and search for exposed secrets.
“A combination of misconfigurations and security flaws can make artifacts leak tokens, both of third party cloud services and GitHub tokens, making them available for anyone with read access to the repository to consume,” researchers noted.
These tokens, if compromised, could grant attackers unauthorized access to private repositories, allowing them to steal source code or even inject malicious code into projects. The report by Unit 42 highlights specific cases where popular projects, including those from Google, Microsoft, AWS, and Red Hat, were found to have leaked tokens through these vulnerabilities.
Unit 42 reported 14 instances of large open-source projects leaking tokens, emphasizing the need for robust security practices in CI/CD pipelines, particularly in automated workflows. Developers and project owners can mitigate this risk by reviewing and sanitizing directories, adjusting default settings for sensitive actions, and minimizing token permissions.
https://players.brightcove.net/1050259881001/default_default/index.html?videoId=6360322715112Commenting on this story is Glenn Chisholm, CEO and Co-founder at Obsidian Security: “The finding highlights the criticality of authentication tokens, and how attackers are increasingly using stolen human and non-human authentication tokens to access source code, SaaS applications,” Genn explained.
“Organisations should ensure that they are looking for abnormal patterns associated with the use of authentication tokens; and given that GitHub is placing the responsibility on enterprises and users, they should ensure good configuration hygiene and scanning of their repos and workflows to avoid the inadvertent leakage of tokens,” he added.