20 C
London
Tuesday, September 3, 2024

TensorFlow CI/CD Flaw Uncovered Provide Chain to Poisoning Assaults


Jan 18, 2024NewsroomProvide Chain Assaults / AI Safety

TensorFlow CI/CD Flaw Uncovered Provide Chain to Poisoning Assaults

Steady integration and steady supply (CI/CD) misconfigurations found within the open-source TensorFlow machine studying framework may have been exploited to orchestrate provide chain assaults.

The misconfigurations might be abused by an attacker to “conduct a provide chain compromise of TensorFlow releases on GitHub and PyPi by compromising TensorFlow’s construct brokers by way of a malicious pull request,” Praetorian researchers Adnan Khan and John Stawinski stated in a report revealed this week.

Profitable exploitation of those points may allow an exterior attacker to add malicious releases to the GitHub repository, acquire distant code execution on the self-hosted GitHub runner, and even retrieve a GitHub Private Entry Token (PAT) for the tensorflow-jenkins consumer.

TensorFlow makes use of GitHub Actions to automate the software program construct, take a look at, and deployment pipeline. Runners, which discuss with machines that execute jobs in a GitHub Actions workflow, may be both self-hosted or hosted by GitHub.

Cybersecurity

“We advocate that you just solely use self-hosted runners with personal repositories,” GitHub notes in its documentation. “It’s because forks of your public repository can probably run harmful code in your self-hosted runner machine by making a pull request that executes the code in a workflow.”

Put in another way, this permits any contributor to execute arbitrary code on the self-hosted runner by submitting a malicious pull request.

This, nevertheless, doesn’t pose any safety concern with GitHub-hosted runners, as every runner is ephemeral and is a clear, remoted digital machine that is destroyed on the finish of the job execution.

Praetorian stated it was in a position to establish TensorFlow workflows that have been executed on self-hosted runners, subsequently discovering fork pull requests from earlier contributors that routinely triggered the suitable CI/CD workflows with out requiring approval.

An adversary seeking to trojanize a goal repository may, due to this fact, repair a typo or make a small however reliable code change, create a pull request for it, after which wait till the pull request is merged in an effort to change into a contributor. This is able to then allow them to execute code on the runner sans elevating any crimson flag by making a rogue pull request.

Additional examination of the workflow logs revealed that the self-hosted runner was not solely non-ephemeral (thus opening the door for persistence), but in addition that the GITHUB_TOKEN permissions related to the workflow got here with in depth write permissions.

“As a result of the GITHUB_TOKEN had the Contents:write permission, it may add releases to https://github[.]com/tensorflow/tensorflow/releases/,” the researchers stated. “An attacker that compromised considered one of these `GITHUB_TOKEN’s may add their very own information to the Launch Belongings.”

On high of that, the contents:write permissions might be weaponized to push code on to the TensorFlow repository by covertly injecting the malicious code right into a characteristic department and getting it merged into the principle department.

That is not all. A risk actor may steal the AWS_PYPI_ACCOUNT_TOKEN used within the launch workflow to authenticate to the Python Package deal Index (PyPI) registry and add a malicious Python .whl file, successfully poisoning the bundle.

“An attacker may additionally use the GITHUB_TOKEN’s permissions to compromise the JENKINS_TOKEN repository secret, regardless that this secret was not used inside workflows that ran on the self-hosted runners,” the researchers stated.

Cybersecurity

Following accountable disclosure on August 1, 2023, the shortcomings have been addressed by the mission maintainers as of December 20, 2023, by requiring approval for workflows submitted from all fork pull requests and by altering the GITHUB_TOKEN permissions to read-only for workflows that ran on self-hosted runners.

“Comparable CI/CD assaults are on the rise as extra organizations automate their CI/CD processes,” the researchers stated.

“AI/ML corporations are notably weak as lots of their workflows require important compute energy that is not obtainable in GitHub-hosted runners, thus the prevalence of self-hosted runners.”

The disclosure comes as each researchers revealed that a number of public GitHub repositories, together with these related to Chia Networks, Microsoft DeepSpeed, and PyTorch, are inclined to malicious code injection by way of self-hosted GitHub Actions runners.

Discovered this text attention-grabbing? Observe us on Twitter and LinkedIn to learn extra unique content material we put up.



Latest news
Related news

LEAVE A REPLY

Please enter your comment!
Please enter your name here