IB company Praetorian discovered in Machine Learning environment tensorflow incorrect settings of the continuous integration and delivery system (Continuous Integration/Continuous Deployment, CI/CD), which could be used for organizations to launch attacks on the supply chain.
According to the report by Praetorian, these incorrect settings could be exploited to compromise Tensorflow and Pypi by targeting Tensorflow assemblies through malicious pull requests.
A successful exploitation of these vulnerabilities would give remote attackers the ability to upload malicious releases into the Github repository, achieve remote code execution (Remote Code Execution, RCE) on the local autonomous tool of GitHub (Self-Hosted Runner), and even obtain personal access to the GITHUB (Personal Access Token, PAT) Tensorflow-Jenkins.
Tensorflow utilizes GitHub Actions to automate the process of assembly, testing, and deployment. Agents that perform tasks as part of the GitHub Actions workflow can be placed both on-premises and in GitHub.
Praetorian discovered that Tensorflow workflows were being performed on a Self-Hosted Runner and found merge requests from previous contributors that would automatically trigger the corresponding CI/CD processes without requiring approval. Additionally, the GITHUB_TOKEN resolution associated with the workflow granted extensive permissions for recording data.
After the responsible disclosure of this information on August 1, 2023, the project developers addressed the vulnerabilities by December 20, 2023 using the following methods:
- Requiring approval for workflow runs triggered by all fork merge requests, including those from previous contributors;
- Modifying the GitHub_Token permissions to “read-only” for workflow runs performed on on-premises execution agents.
Researchers note that attacks of this nature targeting CI/CD systems are on the rise as more organizations automate their CI/CD processes. AI and machine learning companies are particularly vulnerable since their workflows require significant computing power that may not be available in cloud-based solutions, thus leading to the utilization of on-premises execution agents.