Summary
A critical vulnerability in GitHub's actions/runner-images repository allowed arbitrary code execution on self-hosted runners, potentially enabling modification of GitHub's runner base images. The flaw stemmed from misconfigured self-hosted runners on a public repository with default workflow approval settings. The researcher gained persistence, accessed secrets, and could have inserted malicious code into GitHub's runner images used by customers.
Affected Services
GitHub Actions
Remediation
Change repository settings to "Require approval for all outside collaborators" for any public repository using self-hosted runners. Apply defense-in-depth measures to self-hosted runners.
Tracked CVEs
No tracked CVEs
References
Contributed by https://github.com/korniko98
Entry Status
Stub (AI-Generated)
Disclosure Date
Sat, Jul 22nd, 2023
Exploitablity Period
Until 2023/07/25
Known ITW Exploitation
-
Detection Methods
Monitor for unexpected changes to workflow files, especially the runs-on field. Review logs for signs of unauthorized access or unusual activity on self-hosted runners. Implement strict approval processes for workflows from fork pull requests.
Piercing Index Rating
-
Discovered by
Adnan Khan
