high

Azure Devops Zero-Click CI/CD Vulnerability

Published Wed, Jan 31st, 2024
Platforms

Summary

Legit Security found a zero-click vulnerability in Azure Pipelines that allows an attacker to access secrets and internal information and perform actions in elevated permissions in the context of a pipeline workflow. This could allow attackers to move laterally in the organization and initiate supply chain attacks. When a pipeline is triggered by a "pipeline resource trigger," it shows in the platform as "Automatically Triggered For …" Instead of running in fork default permissions, preventing any access to secrets and sensitive actions, Azure Pipelines "confuses" the trigger for an internal build allowing access sensitive build secrets. Exploitability depends on a public GitHub repository that runs Azure pipelines on pull-request, with default Azure pipeline fork configurations to trigger pipeline run, and Pipeline-Triggers.

Affected Services

Azure DevOps Services, Azure Pipelines

Remediation

None required if you are using Azure DevOps cloud services. Otherwise, make sure you're running a patched build.

Tracked CVEs

CVE-2023-36561

References

Entry Status
Finalized
Disclosure Date
Tue, May 23rd, 2023
Exploitablity Period
-
Known ITW Exploitation
-
Detection Methods
-
Piercing Index Rating
-
Discovered by
Nadav Noy, Legit Security