Tenable Research has identified a critical vulnerability, rated 9.3 on the CVSSv4 scale, in a Microsoft GitHub repository. The issue indicates potential remote code execution (RCE) and possible unauthorised access, and highlights CI/CD infrastructure as part of the broader attack surface in modern software environments.
The vulnerability was found in a GitHub workflow used within the Windows-driver-samples repository. The repository has approximately 5,000 forks and 7,700 stars and is frequently used by developers. Tenable researchers demonstrated how the CI/CD workflow could be used in a way that may impact the software supply chain.
The issue is based on a Python string injection vulnerability. The exploitation path is described as follows:
- Issue Creation: An attacker creates a GitHub issue, a feature available to any registered user.
- Malicious Injection: The attacker includes Python code within the issue description.
- Automatic Execution: The GitHub workflow is triggered when the issue is created, executing the code via the GitHub runner.
- Secret Exfiltration: The process may allow extraction of repository secrets, including the GITHUB_TOKEN.
The exposed GITHUB_TOKEN is used for repository operations. As the repository predates 2023, the token retained default permissions, which could allow unauthorised operations and potentially enable actions such as creating issues or modifying repository content.
Tenable notes that CI/CD environments require appropriate safeguards to reduce exposure to supply chain risks and potential impacts on downstream systems.
To address similar issues, Tenable recommends:
- Strict Security Controls: Implementing security measures to protect source code and maintain build integrity in automated workflows.
- Permission Review: Reviewing and restricting GITHUB_TOKEN permissions to limit default access.
- Pipeline Monitoring: Regular audits of automated workflows to identify potential injection vulnerabilities, particularly those triggered by external input.
The findings highlight the importance of securing CI/CD systems as part of broader software development and delivery processes.
