Tenable reveals that it’s latest research has identified a critical vulnerability (CVSSv4 9.3) in a Microsoft GitHub repository.
According to the research, this allowed for Remote Code Execution (RCE) and unauthorised access to repository secrets.
This disclosure highlights that CI/CD infrastructure is a critical part of a modern attack surface.
The discovery involves a vulnerable GitHub workflow, [GitHub’s automation scripts using one or more jobs using GitHub Actions] within the Windows-driver-samples repository.
This repository, which has been forked 5,000 times and has 7,700 stars, represents a significant point of interaction for developers.
Tenable researchers demonstrated how the repository’s CI/CD infrastructure could be exploited to compromise the software supply chain
The vulnerability stems from a simple Python string injection flaw. Attackers could exploit this through the following steps:
The exfiltrated GITHUB_TOKEN is a secret that allows for operations on a GitHub repository.
As the repository was created before 2023 and the token allows at least issue creation without explicit permission set in the workflow, researchers infer that the token likely retained default read and write permissions.
According to Tenable’s research, this could allow unauthorised users to perform privileged operations on behalf of Microsoft, such as creating issues or modifying repository content.
Rémy Marot, Staff Research Engineer at Tenable commented: “The CI/CD infrastructure is part of an organisation’s attack surface and software supply chain.
“Without strong safeguards, a vulnerability in a pipeline can be exploited to trigger large-scale supply chain attacks and have critical impacts on downstream systems and users.”
Following the disclosure, Tenable emphasises that organisations must treat their CI/CD pipelines as critical infrastructure.
To prevent similar exposures, the following are recommended:
