A critical supply chain bug in a Google's open-source software development tool called Bazel opened the door to hackers to insert malicious code. The command injection vulnerability, according to researchers, impacted the security of millions of Bazel-dependent projects including Kubernetes, Angular, Uber, LinkedIn, Databricks, DropBox, Nvidia and Google.
The flaw was first identified in November by researchers at Cycode and fixed by Google within seven days. In a Febraury 1 blog post the Cycode Research Team is revealing details of the bug.
"We found that a GitHub Actions workflow could have been injected by a malicious code due to a command injection vulnerability in one of Bazel’s dependent Actions," wrote Elad Pticha, researcher with Cycode. "This vulnerability directly impacts the software supply chain, potentially allowing malicious actors to insert harmful code into the Bazel codebase, create a backdoor, and affect the production environment of anyone using Bazel.'
The disclosure timeline included November 1 bug bounty report to Google by Cycode. On November 7 Google opened a review of the report and the next day pushed a "new commit" update addressing the bug. On December 5 a "pull request" had fully addressed the bug and a week later Cycode was awarded a $13,337 bug bounty payout by Google.
Breaking down the bug
Pticha wrote that Google acknowledged "the critical importance of the vulnerability". The heart of the issue, researchers wrote, was tied to the use of GitHub Custom Actions - "a versatile approach to streamlining" software development workflow - and the use of what is called cherry-picker workflow.
Cherry-picker workflow describes a type of command that enables arbitrary Git commits to be picked by reference and appended to the current working HEAD or branch of code in the development environment, according a description by Atlassian.
"Custom actions can be compared to functions being called within code, where we use our own functions and import third-party ones," Pticha wrote. Actions include Docker, JavaScript and Composite.
"Custom actions add a significant burden on the organization’s software supply chain. A few lines of code in the top-level workflow can translate into thousands or even millions of lines of code, many of which we may not even be aware of," he wrote.
By using GitHub Actions — which is a continuous integration and continuous delivery (CI/CD) platform to automate build, test and deployment of the software development lifecycle — Cycode researchers managed to identify how a command injection vulnerability can target the cherry-picker workflow.
The actions, Pticha wrote, use programs written in languages “such as JavaScript and Python, and leverage libraries from various package managers like NPM or PyPI, forming an extensive chain of dependencies.”
Cycode researchers managed to obtain tokens for Bazel and GitHub by injecting a malicious payload within system logs. Vulnerabilities in indirect dependencies, such as custom actions are “challenging to identify since they may be located in different repositories, in other ecosystems, and managed by other maintainers.”
Out of the 3.4 million workflows in public repositories, nearly all of them (about 98.75%) incorporate one or more custom action, Pticha wrote.
