Most active commenters
  • donavanm(3)

←back to thread

Public secrets exposure leads to supply chain attack on GitHub CodeQL

(www.praetorian.com)
297 points cyberbender | 29 comments | 30 Mar 25 19:54 UTC | HN request time: 0.29s | source | bottom
1. nyrikki ◴[30 Mar 25 21:51 UTC] No.43528008[source]
No mention why this temp token had rights to do things like create a new deployments and generate artifact attestations?

For their fix, they disabled debug logs...but didn't answer if they changed the temp tokens permissions to something more appropriate for a code analysis engine.

replies(6): >>43528290 #>>43531049 #>>43533461 #>>43538343 #>>43538350 #>>43545199 #
2. declan_roberts ◴[30 Mar 25 22:21 UTC] No.43528290[source]
I think we all know this old story. The engineer building it was getting permission denied so they gave it all the permissions and never came back and right-sized.
replies(2): >>43528378 #>>43528414 #
3. azemetre ◴[30 Mar 25 22:30 UTC] No.43528378[source]
What's the over/under that said engineer could solve two medium leetcodes in under and hour?
4. setr ◴[30 Mar 25 22:36 UTC] No.43528414[source]
Does any RBAC system actually tell you the missing permissions required to access the object in question? It’s like they’re designed to create this behavior
replies(4): >>43528495 #>>43528507 #>>43529353 #>>43534107 #
5. levkk ◴[30 Mar 25 22:45 UTC] No.43528495{3}[source]
Not usually, that's considered an potential attack vector I believe. You're looking to minimize information leakage.
6. Normal_gaussian ◴[30 Mar 25 22:47 UTC] No.43528507{3}[source]
Yes. Most auth systems do to the developer - GCP & AWS IAM give particularly detailed errors; nearly every feature/permission system I have implemented did. However, it wouldn't be unusual for the full error to be wrapped or swallowed by some lazy error handling. Its a bit of a PITA but well worth it to translate to a safe and informative user facing error.

as a nit; RBAC is applied to an object based permissions system rather than being one. Simply, RBAC is a simplification of permission management in any underlying auth system.

replies(3): >>43528721 #>>43529190 #>>43531266 #
7. 8note ◴[30 Mar 25 23:11 UTC] No.43528721{4}[source]
ive never seen aws give a useful error where i could say which resources need a handshake of permissions, or which one of the two needs the permission granted, or which permission needs to be granted.
replies(2): >>43528779 #>>43531002 #
8. milch ◴[30 Mar 25 23:19 UTC] No.43528779{5}[source]
AWS throws errors that look like `arn:aws:iam:... is not authorized to call "$SERVICE_NAME:$API_NAME" on resource arn:aws:$SERVICE_NAME:...`. I think it's more complicated when you go cross account, and the receiving account doesn't have permissions set up (if the calling account doesn't have it set up you get the same error). In any case you would still find that information in the CloudTrail logs of the receiving account
replies(1): >>43528940 #
9. hobs ◴[30 Mar 25 23:37 UTC] No.43528940{6}[source]
Right, you can go to cloudtrail and probably get it, but I have definitely ran into things like service says you do not have access to resource or it does not exist - randomly providing the account some other tangentially related permission magically fixes it, I've found sometimes trying the UI and the API will give different errors to help, and neither is particularly more useful than the others.
replies(3): >>43529250 #>>43529256 #>>43531059 #
10. winwang ◴[31 Mar 25 00:12 UTC] No.43529190{4}[source]
Slightly disagree at least for GCP. It will error with a detailed permission, but you're not just going to add that -- you're going to add a role (standard, unless you have custom roles), which you technically have to map back to the permission you need. But also, those (standard) roles have many permissions in one, so you likely overprovision (though presumably by just a bit).

...If only we could do something like: dry run and surface all the required permissions, then grant them in one fell (granular) sweep.

replies(2): >>43530688 #>>43531312 #
11. ◴[31 Mar 25 00:21 UTC] No.43529250{7}[source]
12. bshacklett ◴[31 Mar 25 00:22 UTC] No.43529256{7}[source]
assuming you can get the cloud trail message sometimes there’s more information that you can decode using the STS service:

https://docs.aws.amazon.com/cli/latest/reference/sts/decode-...

13. UltraSane ◴[31 Mar 25 00:36 UTC] No.43529353{3}[source]
AWS has a neat feature to analyze cloudtrail logs to determine needed permissions.
14. da_chicken ◴[31 Mar 25 03:42 UTC] No.43530688{5}[source]
> ...If only we could do something like: dry run and surface all the required permissions, then grant them in one fell (granular) sweep.

The problem with that is that it can be difficult to know what you need, and it may be impossible to simulate in any practical sense. Like, sure, I can stand up a pair of test systems and fabricate every scenario I can possibly imagine, but my employer does want me to do other things this month. And what happens when one of the systems involves a third party?

Really, the need is to be able to provision access after the relationship is established. It's weird that you need a completely new secret to change access. Imagine if this were Linux and in order to access a directory you had to provision a new user to do it? How narrow do you really think user security access would be in practical terms then?

replies(1): >>43537100 #
15. donavanm ◴[31 Mar 25 04:24 UTC] No.43531002{5}[source]
This is intentional. You, the caller, get a generic http 400 “resource does not exist or are not authorized” response and message. Providing additional information about resource existence or permissions opens an entire category of information disclosure, resource discovery, attribute enumeration, policy enumeration problems.

The IAM admin persona is the one who gets a bunch of additional information. Thats accessible through aws iam policy builder, access logs, etc.

And no, its not feasible to determine if the initial caller is an appropriate iam admin persona and vary the initial response.

replies(2): >>43532459 #>>43542685 #
16. Elucalidavah ◴[31 Mar 25 04:31 UTC] No.43531049[source]
> For their fix, they disabled debug logs

For their quick fix, hopefully not for their final fix.

17. donavanm ◴[31 Mar 25 04:32 UTC] No.43531059{7}[source]
Look in to the AWS IAM “service description files” aka SDF. Thats exposed via the console Policy Builder or Policy Evaluator logic. The SDF _should_ encode all the context (eg resource attributes, principal metadat) that goes in to the authz decision. The most common opaque issue youll see is where one action has other required resources/actions. Eg a single action attaching an ebs volume requires permission on both instance and volume and _maybe_ kms key with permissions across those services.
18. raverbashing ◴[31 Mar 25 05:04 UTC] No.43531266{4}[source]
But obviously then the security people will raise ruckus about any attempt of telling you what is wrong

(Which ok, for an external facing system is ok)

I can bet the huge prevalence of "system says no, and nothing tells you why" helps a lot with creating vulnerable systems.

System need an "let X person do Action" instead of having people waddle through 10 options like SystemAdminActionAllow that don't mean anything to an end user

19. valenterry ◴[31 Mar 25 05:11 UTC] No.43531312{5}[source]
> you're going to add a role (standard, unless you have custom roles), which you technically have to map back to the permission you need

Which is terrible btw. You dont "technicall" have to do that, you really cannot add roles to custom roles, you can only add permissions to custom roles. Which makes it really hard to maintain the correctness of custom roles since their permissions can and do change.

> ...If only we could do something like: dry run and surface all the required permissions, then grant them in one fell (granular) sweep.

GCP even has something like that, but I honestly think that standard roles are usually fine. Sometimes making things too fine grained is not good either. Semantics matter.

20. the8472 ◴[31 Mar 25 08:09 UTC] No.43532459{6}[source]
Even AWS itself does better than this, but only on some services. They send an encrypted error which you can then decrypt with admin permissions to get those details.
21. arccy ◴[31 Mar 25 10:53 UTC] No.43533461[source]
just goes to show how lax microsoft is about their security. nobody should trust them.
22. Uvix ◴[31 Mar 25 12:17 UTC] No.43534107{3}[source]
Azure’s RBAC system usually tells you this, at least when accessing the Azure management APIs. (Other APIs using RBAC, like the Azure Storage or Key Vailt ones, usually aren’t so accommodating. At least by their nature there’s usually only a handful of possible permissions to choose from.)
23. winwang ◴[31 Mar 25 16:51 UTC] No.43537100{6}[source]
> the need is to be able to provision access after the relationship is established

Could you go into more detail? At a base level interpretation, this is how it works already (you need a principal to provision access for...), but you presumably mean something more interesting?

replies(1): >>43542377 #
24. beaugunderson ◴[31 Mar 25 18:47 UTC] No.43538343[source]
Temporary action tokens have full write by default; you have to explicitly opt for a read-only version.

    > Read and write permissions
    > Workflows have read and write permissions in the repository for all scopes.
If you read this line of the documentation (https://docs.github.com/en/actions/security-for-github-actio...) you might think otherwise:

    > If the default permissions for the GITHUB_TOKEN are restrictive, you may have to elevate the permissions to allow some actions and commands to run successfully.
But I can confirm that in our GitHub organization "Read and write permissions" was the default, and thus that line of documentation makes no sense.
25. Pathogen-David ◴[31 Mar 25 18:48 UTC] No.43538350[source]
If the GitHub Actions temporary token does not have workflow-defined permissions scope, it defaults either to a permissive or restricted default scope based on the repository's setting. This setting can also be configured at the organization level to restrict all repos owned by the org.

Historically the only choice was permissive by default, so this is unfortunately the setting used by older organizations and repos.

When a new repo is created, the default is inherited from the parent organization, so this insecure default tends to stick around if nobody bothers to change it. (There is no user-wide setting, so new repos owned by a user will use the restricted default. I believe newly created orgs use the better default.)

[0]: https://docs.github.com/en/actions/security-for-github-actio...

26. da_chicken ◴[01 Apr 25 03:00 UTC] No.43542377{7}[source]
With token-based access, you typically assign the role when the token is created. The access level the token has is typically locked at that point. If you're generating an API access token, you might specify the token is read-only. If you later decide that read/write access is needed, you need to generate a new token with the new access level and replace the token id and value in the client system.

It's not difficult, but it's a much bigger pain in the ass than just changing access or changing role on a user.

27. Atotalnoob ◴[01 Apr 25 03:55 UTC] No.43542685{6}[source]
Just add this to the end of the error message “If this resource exists, you will need to add permission X. “
replies(1): >>43556567 #
28. stogot ◴[01 Apr 25 10:45 UTC] No.43545199[source]
The 2023 Microsoft hack (that CISA completely called them out for poor security) also was similar to this. Their blog post that tried to explain what happened left so many unanswered questions
29. donavanm ◴[02 Apr 25 13:40 UTC] No.43556567{7}[source]
A late reply, but thats not how AWS IAM (or most advanced authz systems) work. AWS IAM is a “capability” system with dynamic policies; its nothing so simple as a “role” based authorization contrary to some product naming. To wit, every authz evaluation is a dynamic evaluation of policy and context. Each check uses one or more policies with one or more policy statements that are combined with some boolean logic and predicate rules. The policies may be associated (sourced) with the particular request based on calling principal, principal attributes, the target resource, a related resource, or even other metadata like AWS Org membership. Thats combined with the point in time context from the request (ex action name, parameters), request metadata (eg time), principal (id, tags, etc), resource (arn, attributes, tags), and some more “system” specific context variables. You (and the authorizing service) need ALL of that information to perform an authz evaluation.

This is complicated by dynamic data, like time or source address or caller principal tag values, so even identical requests may have different results. There are also complications like DENY statements and “unless” predicates that entirely defeat a simple “resource x requires y” approach.

Evem if you solve all of those challenges via magic you end up back at information disclosure where your adversary is now capable of rapidly enumerating and testing all your authz policies!