January 18, 2024 at 08:03AM
Misconfigurations in TensorFlow’s CI/CD system enabled potential supply chain attacks. GitHub-hosted runners are not vulnerable, but self-hosted runners executed without approval, permitting unauthorized code execution. Ephemeral runner security measures were bypassed, allowing for breaches of GitHub repository and PyPI registry integrity. Project maintainers addressed the issues post-disclosure, mitigating the risks.
Key takeaways from the meeting notes:
1. Misconfigurations in the open-source TensorFlow machine learning framework could have been exploited to orchestrate supply chain attacks, potentially allowing an attacker to compromise TensorFlow releases on GitHub and PyPi.
2. GitHub Actions were used for automating the software build, test, and deployment pipeline, and self-hosted runners were found to be vulnerable to exploitation, potentially allowing arbitrary code execution.
3. The vulnerabilities were addressed by project maintainers, requiring approval for workflows submitted from fork pull requests and changing GITHUB_TOKEN permissions to read-only for workflows running on self-hosted runners.
4. Similar CI/CD attacks are on the rise as organizations automate their processes, and AI/ML companies are particularly vulnerable due to the need for significant compute power not available in GitHub-hosted runners.
5. Several public GitHub repositories, including those associated with Chia Networks, Microsoft DeepSpeed, and PyTorch, are also susceptible to malicious code injection via self-hosted GitHub Actions runners.
Please feel free to reach out if you need further clarification or additional information.