Brother
Professional
- Messages
- 2,590
- Reaction score
- 483
- Points
- 83
A flaw in the platform costs developers the entire software supply chain.
The Praetorian information security company found incorrect settings of the continuous integration and delivery system (CI/CD) in the TensorFlow machine learning environment, which could be used to organize attacks on the supply chain.
According to the Praetorian report, incorrect settings could have been used to compromise TensorFlow releases on GitHub and PyPI by attacking TensorFlow build agents via a malicious Pull request.
Successful exploitation of the vulnerabilities would allow a remote attacker to upload malicious releases to the GitHub repository, achieve Remote Code Execution ( RCE) on the local standalone GitHub execution tool (self-hosted runner), and even obtain a GitHub Personal Access Token (PAT) for a tensorflow user-jenkins.
TensorFlow uses GitHub Actions to automate the process of building, testing, and deploying software. Execution tools that perform tasks within the GitHub Actions workflow can be hosted either independently or on GitHub.
Praetorian detected TensorFlow workflows running on self-hosted runners and found merge requests from previous participants that automatically started the corresponding CI/CD workflows without needing approval. At the same time, GITHUB_TOKEN permissions associated with the workflow provided extensive rights to write data.
After responsible disclosure of information on August 1, 2023, the shortcomings were eliminated by the project developers by December 20, 2023 using the following methods:
Researchers note that attacks of this kind on CI/CD are growing as more organizations automate their CI/CD processes. AI and machine learning companies are particularly vulnerable, as their workflows require significant computing power that is not available in GitHub runners, which leads to the proliferation of local execution tools.
The Praetorian information security company found incorrect settings of the continuous integration and delivery system (CI/CD) in the TensorFlow machine learning environment, which could be used to organize attacks on the supply chain.
According to the Praetorian report, incorrect settings could have been used to compromise TensorFlow releases on GitHub and PyPI by attacking TensorFlow build agents via a malicious Pull request.
Successful exploitation of the vulnerabilities would allow a remote attacker to upload malicious releases to the GitHub repository, achieve Remote Code Execution ( RCE) on the local standalone GitHub execution tool (self-hosted runner), and even obtain a GitHub Personal Access Token (PAT) for a tensorflow user-jenkins.
TensorFlow uses GitHub Actions to automate the process of building, testing, and deploying software. Execution tools that perform tasks within the GitHub Actions workflow can be hosted either independently or on GitHub.
Praetorian detected TensorFlow workflows running on self-hosted runners and found merge requests from previous participants that automatically started the corresponding CI/CD workflows without needing approval. At the same time, GITHUB_TOKEN permissions associated with the workflow provided extensive rights to write data.
After responsible disclosure of information on August 1, 2023, the shortcomings were eliminated by the project developers by December 20, 2023 using the following methods:
- approval requirement for workflows submitted from all fork merge requests, including requests from previous contributors;
- change GITHUB_TOKEN permissions to read-only for workflows running on self-hosted runtimes.
Researchers note that attacks of this kind on CI/CD are growing as more organizations automate their CI/CD processes. AI and machine learning companies are particularly vulnerable, as their workflows require significant computing power that is not available in GitHub runners, which leads to the proliferation of local execution tools.
