Azure Devops Zero-Click CI/CD Vulnerability
Published Wed, Jan 31st, 2024
Platforms
Summary
Legit Security found a zero-click vulnerability in Azure Pipelines that allows an attacker to access secrets and internal information and perform actions in elevated permissions in the context of a pipeline workflow. This could allow attackers to move laterally in the organization and initiate supply chain attacks. When a pipeline is triggered by a "pipeline resource trigger," it shows in the platform as "Automatically Triggered For …" Instead of running in fork default permissions, preventing any access to secrets and sensitive actions, Azure Pipelines "confuses" the trigger for an internal build allowing access sensitive build secrets. Exploitability depends on a public GitHub repository that runs Azure pipelines on pull-request, with default Azure pipeline fork configurations to trigger pipeline run, and Pipeline-Triggers.
Affected Services
Azure DevOps Services, Azure Pipelines
Remediation
None required if you are using Azure DevOps cloud services. Otherwise, make sure you're running a patched build.
Tracked CVEs
CVE-2023-36561
References
Contributed by https://github.com/ramimac
Entry Status
Finalized
Disclosure Date
Tue, May 23rd, 2023
Exploitability Period
-
Known ITW Exploitation
-
Detection Methods
None
Piercing Index Rating
-
Discovered by
Nadav Noy, Legit Security
