A newly identified attack vector in GitHub Actions artifacts, named ArtiPACKED, poses a significant risk by potentially allowing threat actors to take control of repositories and gain access to organizational cloud environments.
Palo Alto Networks Unit 42 researcher Yaron Avital highlighted in a report this week that a combination of misconfigurations and security flaws could cause artifacts to leak tokens. These tokens, which could belong to third-party cloud services or GitHub, might become accessible to anyone with read access to the repository.
This flaw allows malicious actors who gain access to these artifacts to potentially compromise the services protected by these secrets.
GitHub Actions uses artifacts to enable data sharing between jobs in a workflow and store the information for up to 90 days, including builds, log files, core dumps, test outputs, and deployment packages. This functionality can inadvertently expose sensitive data such as GitHub access tokens, especially in open-source projects where these artifacts are publicly available.
The vulnerability is particularly concerning because artifacts can reveal an undocumented environment variable known as ACTIONS_RUNTIME_TOKEN. This token lasts for about six hours and can be exploited to replace an artifact with a malicious version before the token expires.
Such exploitation could lead to remote code execution if developers unknowingly download and run the rogue artifact or if subsequent workflow jobs are set to execute based on previously uploaded artifacts.
While the GITHUB_TOKEN is designed to expire when the job concludes, enhancements to the artifacts feature in version 4 introduced potential race condition scenarios. An attacker might exploit these scenarios to steal and use the token by downloading an artifact during an ongoing workflow run.
Once obtained, the token could be used to inject malicious code into the repository by creating a new branch before the token expires. This attack relies on the workflow possessing the “contents: write” permission.
#GitHub: @unit42_intelDiscovered A New GitHub Actions Race Condition #VulnerabilityDubbed #ArtiPACKEDwhich Exposes Critical Credentials including GitHub tokens and cloud service keys:
:point_down:https://t.co/aF50I5J1gfpic.twitter.com/BTtmG7Cs1f— Sam Stepanyan (@securestep9) August 14, 2024
Several open-source repositories linked to Amazon Web Services (AWS), Google, Microsoft, Red Hat, and Ubuntu have been identified as vulnerable to this attack. GitHub has classified the issue as informational, indicating that users must take responsibility for securing their uploaded artifacts.
The deprecation of Artifacts V3 by GitHub should urge organizations utilizing the artifacts feature to reassess their usage strategies. Overlooked elements, like build artifacts, are increasingly becoming primary targets for attackers.
Abdul Rehman
Abdul is a tech-savvy, coffee-fueled, and creatively driven marketer who loves keeping up with the latest software updates and tech gadgets. He's also a skilled technical writer who can explain complex concepts simply for a broad audience. Abdul enjoys sharing his knowledge of the Cloud industry through user manuals, documentation, and blog posts.
