2023-06-12 –, Salon C
GitHub Actions has helped companies automate their CI/CD pipeline with ease by directly integrating with their code sources. This ease however can come with pain when various vulnerabilities arise due to misconfigurations, code vulnerabilities and supply-chain attack vectors.
This talk will cover three different vulnerability types in GitHub Actions. We’ll go over basic code execution examples due to unsanitized user inputs, and two unique vulnerabilities seen by us. The first vulnerability will cover a supply chain attack by exploiting vulnerable third-party actions used by companies and government agencies. The second exploit will cover misconfiguration in OIDCs connected between GitHub Actions and Amazon Web Services that affected large organizations.
The talk will wrap up with some mitigation measures on how these vulnerabilities can be detected and patched. In addition, we will cover some detection examples of how potential abuse/exploitations of the vulnerabilities can be properly triaged.
Rojan Rijal is a security researcher at Tinder Security Labs. Rojan has seven years of experience identifying vulnerabilities in open source, SaaS products and cloud environments. Rojan has been recognized for finding impactful vulnerabilities in private organizations such as Netflix, Zoom, Google, and GitHub and public organizations like the United State Air Force and the United Kingdom’s Ministry of Defence. Rojan has presented his research at conferences like BSides San Francisco, Recon Village at Defcon 30 and more.