high

Azure Pipelines Agent poisoned pipeline execution

Published Wed, Dec 20th, 2023
Platforms

Summary

Azure Pipelines and GitHub Actions allow deployment of runners and agents using VM images sourced from a GitHub-managed repository (github.com/actions/runner-images). This repo was misconfigured to use self-hosted runners insecurely, in a way that could have allowed a malicious external contributor (i.e., anyone who had previously had at least one PR approved and merged in the repo) to poison the repository and achieve code execution on runners in the repo. This in turn could have theoretically allowed an attacker to modify the source code of the images, and thereby conduct a supply chain attack against Pipelines and Actions customers.

Affected Services

Pipelines

Remediation

None required

Tracked CVEs

No tracked CVEs

References

Entry Status
Finalized
Disclosure Date
Sat, Jul 22nd, 2023
Exploitablity Period
Until 2023/07/26
Known ITW Exploitation
-
Detection Methods
-
Piercing Index Rating
-
Discovered by
Adnan Khan