A software supply-chain vulnerability has been discovered in Bazel [1] [4] [6], an open-source tool developed by Google [2] [3] [4]. This vulnerability involves a command injection vulnerability in a custom GitHub Action used by Bazel in its CI/CD workflows. It has the potential to impact the software supply chain and affect millions of projects and users on various platforms, including Kubernetes [4] [5], Angular [2] [3] [4] [5] [7], Uber [2] [3] [4] [5], LinkedIn [2] [3] [4] [5], and Google itself [4].
Description
Security researchers from Cycode have identified a vulnerability in Bazel, a tool developed by Google [2] [3]. The vulnerability stems from a command injection vulnerability in a custom GitHub Action used by Bazel in its CI/CD workflows. This vulnerability could allow for the injection of malicious code through the GitHub Actions workflow [1], posing a risk to the software supply chain. Google promptly addressed and fixed the vulnerability by implementing least privilege principles in their usage of GitHub Actions. The RAVEN tool was used to identify this vulnerability, which scans CI/CD platforms for vulnerabilities [7]. This incident highlights the potential security risks associated with third-party CI/CD dependencies [2], particularly within popular platforms like Kubernetes and Angular [7]. Custom GitHub Actions [1] [2] [3] [4] [5] [7], which enable code reuse and nested dependencies [2], can introduce transitive vulnerabilities into workflows [2]. Cycode has previously identified vulnerabilities in open-source projects [7], demonstrating that vulnerabilities can extend to indirect dependencies like Custom Actions [7]. DevOps teams are advised to review their workflows for similar vulnerabilities [7], as application security attack surfaces are often unmanageable [7]. While it is unclear if the vulnerability was exploited [7], organizations using Bazel are advised to conduct a code review [7].
Conclusion
The discovered vulnerability in Bazel has the potential to impact a wide range of projects and users on various platforms. It highlights the importance of addressing security risks associated with third-party CI/CD dependencies [2], especially within popular platforms like Kubernetes and Angular [7]. DevOps teams should review their workflows for similar vulnerabilities to ensure the security of their applications. Additionally, the Biden administration’s executive order is expected to bring stricter regulations for securing software supply chains, making it crucial to proactively address these issues before they disrupt the software development life cycle.
References
[1] https://allinfosecnews.com/item/cycode-discovers-a-supply-chain-vulnerability-in-bazel-2024-02-01/
[2] https://flyytech.com/2024/02/02/bazel-poc-attack-highlights-transitive-vulnerability-risk-in-custom-github-actions/
[3] https://www.csoonline.com/article/1303355/bazel-poc-attack-highlights-transitive-vulnerability-risk-in-custom-github-actions.html
[4] https://www.infosecurity-magazine.com/news/googles-bazel-command-injection/
[5] https://www.jsplaces.com/cso-online/01/02/2024/bazel-poc-attack-highlights-transitive-vulnerability-risk-in-custom-github-actions/
[6] https://securityboulevard.com/2024/02/cycode-discovers-a-supply-chain-vulnerability-in-bazel/
[7] https://devops.com/cycode-discloses-github-actions-vulnerability-in-google-bazel-project/