high

Azure Pipelines Agent poisoned pipeline execution

Published Wed, Dec 20th, 2023

Platforms

azuregithub

Summary

Azure Pipelines and GitHub Actions allow deployment of runners and agents using VM images sourced from a GitHub-managed repository (github.com/actions/runner-images). This repo was misconfigured to use self-hosted runners insecurely, in a way that could have allowed a malicious external contributor (i.e., anyone who had previously had at least one PR approved and merged in the repo) to poison the repository and achieve code execution on runners in the repo. This in turn could have theoretically allowed an attacker to modify the source code of the images, and thereby conduct a supply chain attack against Pipelines and Actions customers.

Affected Services

Azure Pipelines, GitHub Actions

Remediation

None required

Tracked CVEs

No tracked CVEs

References

https://adnanthekhan.com/2023/12/20/one-supply-chain-attack-to-rule-them-all/

Contributed by https://github.com/korniko98

Entry Status

Finalized

Disclosure Date

Sat, Jul 22nd, 2023

Exploitability Period

Until 2023/07/26

Known ITW Exploitation

-

Detection Methods

None

Piercing Index Rating

-

Discovered by

Adnan Khan

More vulnerabilities...

critical

Poisoning GitHub's Runner Images Supply Chain Attack

github

A critical vulnerability in GitHub's actions/runner-images repository allowed arbitrary code execution on self-hosted runners, potentially enabling modification of GitHub's runner base images. The ...

Adnan Khan
high

Data Exfiltration Through CloudTrail

aws

This scenario describes a potential data exfiltration technique using AWS CloudTrail. An attacker with access to CloudTrail logs could potentially extract sensitive information from logged events, ...

low

AWS IAM Identity Center Expiry

aws

AWS IAM Identity Center exchanges third-party OIDC tokens for Identity Center-issued tokens. Identity Center relies on the jti claim in the third-party tokens to prevent replay attacks. Identity C...

Aidan Steele
View all