search

eth-educators / ethstaker-deposit-cli

Secure key generation for deposits
https://eth-educators.github.io/ethstaker-deposit-cli/
Creative Commons Zero v1.0 Universal
5 stars 10 forks source link

Use of unpinned third-party docker image and actions on workflows [TOB-ETHSTAKER-1] #181

Closed remyroy closed 1 month ago

remyroy commented 1 month ago

Reported by Trail of Bits from their EthStaker Deposit CLI Security Assessment DRAFT report presented on October 8 2024.

Description

Several workflows in the repository directly use third-party actions such as peaceiris/actions-mdbook@v2, peaceiris/actions-gh-pages@v4, docker/login-action@v3, docker/metadata-action@v5, docker/build-push-action@v6, and crazy-max/ghaction-import-gpg@v6. Some of these workflows have privileged access to secrets such as the GPG private key and its passphrase.

- name: Import GPG key
  uses: crazy-max/ghaction-import-gpg@v6
  id: import-gpg-key
  with:
    gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
    passphrase: ${{ secrets.PASSPHRASE }}
    trust_level: 5

Git tags are malleable. This means that while, for example, crazy-max/ghaction-import-gpg is pinned to v6, the upstream may silently change the reference pointed to by v6. This can include malicious re-tags, which may cause EthStaker’s workflow to suddenly start executing malicious code.

GitHub’s security hardening guidelines for third-party actions encourages developers to pin third-party actions to a full-length commit hash. Generally excluded from this are “official” actions under the actions organization; however, these other actions are not developed by GitHub.

The Dockerfile in the repository exhibits an analogous issue; the FROM line indicates an image tag name which may change on the server side. To prevent these images from silently changing, these should be pinned with a sha256 hash.

FROM python:3.12-slim-bookworm

Exploit Scenario

An attacker (or compromised maintainer) silently replaces the v6 tag on the crazy-max/ghaction-import-gpg repository with a malicious action that leaks the GPG keys provided and injects malware into binaries. When the “ci-build” workflow is run, the GPG key is leaked and malicious binaries are published.

Recommendations

Short term, replace the current version tag references used in the workflow for third-party actions with full-length commit hashes. Similarly, pin Docker base images by their full hashes.

Long term, use Dependabot’s support for Github Actions to keep third-party action commit hashes up to date, complemented with maintainer reviews to ensure their safety. Incorporate static analysis tools such as Semgrep into the CI pipeline to detect issues earlier on.

remyroy commented 1 month ago

The short term solution has been implemented for this issue. Work on the long term solution is partly started with the full implementation of dependabot. More work needs to be done to explore tools such as Semgrep.