Microsoft's GitHub repository has been found to have a critical vulnerability, posing a significant risk to the software supply chain. The issue, discovered by Tenable Research, involves a remote code execution flaw in the Windows-driver-samples repository, which is a publicly accessible project with 5,000 forks and 7,700 stars. This vulnerability could allow attackers to exploit a Python string injection flaw in an automated workflow, potentially compromising the entire software supply chain tied to the repository.
The flaw lies in the GitHub Actions automation system, which is used to manage software development pipelines. By creating a GitHub issue with malicious Python code, an attacker could trigger the workflow to execute the code automatically, gaining access to the GitHub runner and potentially exposing sensitive information such as the GITHUB_TOKEN and other repository secrets. This token, which grants access to perform actions on the repository, was found to have default read and write access, allowing unauthorized users to carry out actions with Microsoft-level privileges.
This discovery highlights a critical aspect of cyber risk often overlooked in customer-facing products. Continuous integration and continuous delivery pipelines, while essential for testing and building code, also process external input and hold sensitive credentials, making them attractive targets for attackers. The ease of exploitation in this case, where a simple issue submission by any registered GitHub user could trigger the vulnerable workflow, should raise concerns among security teams.
Rémy Marot, Staff Research Engineer at Tenable, emphasizes the broader security implications of this issue. He states, 'The CI/CD infrastructure is part of an organization's attack surface and software supply chain. Without strong safeguards, a vulnerability in a pipeline can be exploited to trigger large-scale supply chain attacks and have critical impacts on downstream systems and users.'
To mitigate this risk, Tenable recommends treating CI/CD systems as critical infrastructure and implementing tighter controls around source code protection and build integrity in automated workflows. Development teams should explicitly review and restrict token permissions, ensuring that the GITHUB_TOKEN has only the minimum access needed to prevent abuse. Regular audits of automated workflows, especially those triggered by external user input, are crucial to identifying and addressing potential vulnerabilities.
This incident underscores the challenges faced by companies maintaining public code repositories while relying on automation. While convenience features streamline development, they can also introduce security risks when workflows execute data from untrusted sources. For Microsoft and other large software suppliers, this finding carries significant weight, as development practices in prominent public projects often influence other teams, and a flaw in a widely observed workflow can have far-reaching consequences for the entire software industry.
