当前位置:首页 > 报告详情

阿德南·汗与约翰·斯塔温斯基_自托管的GitHub CICD跑步者持续集成与持续毁灭.pdf

上传人: 张** 编号:175531 2024-09-13 98页 8.34MB

1、#BHUSA BlackHatEventsSelf Hosted GitHub Self Hosted GitHub RunnersRunnersContinuous Integration,Continuous DestructionContinuous Integration,Continuous DestructionAdnan Khan|John StawinskiFirstA StoryTwo months ago,someone identified a GitHub Actions misconfiguration in a public repository owned by

2、one of the largest domestic chip manufacturers in the United States-anyone with a GitHub account could have exploited it by creating a pull request.The vulnerability allowed them to obtain Enterprise admin privileges over that companys GitHub Enterprise Cloud tenant.This provided access to some of t

3、hat companies most sensitive intellectual property.They had the privileges to make every repository public or even delete their GitHub organizations,which would trigger an immediate loss of over 120,000 repositories.Thankfully,this was not an APT,it was me,and I responsibly disclosed the vulnerabili

4、ty.-Adnan KhanDisclaimer-All vulnerabilities mentioned during this talk have been remediated-The views and opinions expressed in this presentation are solely our own-The content presented is not endorsed by,nor does it represent the views of our employers-All materials and ideas shared are independe

5、ntly developed and should not be attributed to our employers#BHUSA BlackHatEventsJohn Stawinski-Email: Website:Adnan Khan X:adnanthekhan Website:John StawinskiAdnan Khan Red Team Security Engineer CI/CD Security Researcher Enjoys anything outside,especially activities that lead to injury Former Coll

6、egiate Athlete Nomadic(for now)Email:LinkedIn: Security Engineer for Day Job Security Researcher Bug Bounty Hunter Live in Baltimore,MarylandX:adnanthekhanWebsite:Insert Adnan pic hereAnd many more.#BHUSA BlackHatEventsOk,but is it really that bad?Yes.There is a systemic lack of awarenessaround self

word格式文档无特别注明外均可编辑修改,预览文件经过压缩,下载原文更清晰!
三个皮匠报告文库所有资源均是客户上传分享,仅供网友学习交流,未经上传用户书面授权,请勿作商用。
本文详细描述了Self-Hosted GitHub Runners的安全风险及其对先进技术组织的影响。作者Adnan Khan和John Stawinski揭示了由于GitHub Actions配置错误而导致的安全漏洞,该漏洞允许任何拥有GitHub账户的人通过创建拉取请求来获取美国一家大型国内芯片制造商的GitHub企业云租户的Enterprise admin权限。这个漏洞让他们能够访问到该公司最敏感的知识产权,并有能力对120,000个仓库进行操作。 文章中提到的核心数据包括: - 2023年7月,一个GitHub Actions的安全漏洞被披露,它影响了Linux、Windows、MacOS和多种架构。 - 文章中提到的攻击步骤简单,成功利用这些攻击的可能性很高。 - 技术社区对这类攻击知之甚少,但它们可能对世界产生重大影响。 - 案例研究中,攻击者通过修复一个拼写错误成为贡献者,然后利用GITHUB_TOKEN进行横向移动和权限提升。 关键点总结: 1. Self-Hosted GitHub Runners存在系统性安全 awareness 缺失,易受供应链攻击。 2. 攻击者可以轻易地成为贡献者,并利用CI/CD流程中的漏洞。 3. 安全措施如工作流审批、限制GITHUB_TOKEN权限、使用最少权限原则和监控Self-Hosted Runners是防御这类攻击的方法。 4. 文章还提供了关于保护组织免受CI/CD攻击的策略,并强调了GitHub PAT卫生措施的重要性。
"GitHub Actions安全漏洞探究" "如何防范自我托管GitHub Runner攻击?" 持续集成还是持续破坏?"
客服
商务合作
小程序
服务号
折叠