GitHub Actions Runner VM token compromised - no damage done #67
Assignees
Labels
priority: P1
Big impact or workaround impractical; resolve before feature release
type: CI
An issue with our continuous integration tests
type: vulnerability
A security issue with the project, the CI, or the repo
Milestone
Comments
joeyparrish
added
priority: P1
joeyparrish
added
the
status: waiting on response
|
Closing due to inactivity. If this is still an issue for you or if you have further questions, the OP can ask shaka-bot to reopen it by including |
github-actions
bot
removed
the
status: waiting on response
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Overview
In the interest of transparency, I'm disclosing that a malicious PR compromised our GitHub Actions Runner VMs. A token from the VM's service account was exfiltrated. This was noticed quickly (within about 3 hours), and workflows and VMs were were shut down.
Right before the shut down, the attacker tried to access the VM's Docker daemon, and was interrupted in the attempt.
The attack was carried out by a security researcher, and no damage was done.
VM token
The exfiltrated token expired after one hour and was not used for anything as far as Google Security can tell.
While I was investigating the attack and working on remediation, GitHub announced the availability of Linux arm64 runners hosted and managed by GitHub. This removes the need for our own self-hosted runner VMs. Our VMs were deleted today. This is super simple and we are super lucky on the timing of this feature from GitHub.
PR As A Point Of Ingress
The other tricky aspect of this attack was that the attacker was able to execute the PR workflow in spite of the "require approval for first-time contributors" rule enabled on the repo. It turns out that the
pull_request_targettrigger bypasses this rule. This, combined with the PR-author-controlled build scripts, is just begging forattacks"research".So why use
pull_request_target? It's because we were using thevarscontext for repo-specific settings. This context is not available in apull_requesttrigger, or rather, it pulls variables from the PR-author's repo, not the target repo.Before we started using
varsfor repo-specific settings, we used to use "environments" to set flags on the repo. These can be read publicly no matter the context, and that system was in use by Shaka Packager before GitHub introducedvars.So to resolve that, we go back to
pull_requesttriggers and the use of "environments" to set flags for things like self-hosted runners (not presently needed) or debug flags (still sometimes needed).Remediation Work
The following changes were made across repositories to clean things up:
ubuntu-24.04-armis available:pull_request_target, to enforce "require approval" rules for workflows:The text was updated successfully, but these errors were encountered: