Wazuh GitHub Actions Workflow GITHUB_TOKEN Exposure Vulnerability

A vulnerability in Wazuh version 4.12.0 allows for the unauthorized extraction of the GITHUB_TOKEN from workflow artifacts. This token, which is intended for authenticating with the GitHub API, can be misused within a limited time frame to perform actions such as pushing harmful commits or modifying release tags. The issue arises because the workflow artifacts can include the .git/config file, which contains the GITHUB_TOKEN, and this artifact can be downloaded before the workflow run has completed.

Impact

Exploitation of this vulnerability could lead to unauthorized actions being performed in a repository, such as pushing malicious code or altering release tags to include harmful commits.

Reproduction

The vulnerability can be reproduced by monitoring for runs of the 'ci.yml' workflow in the Wazuh repository. Once an artifact from this workflow run is available for download, it can be extracted to retrieve the GITHUB_TOKEN. This token can then be used with the GitHub API to push a backdoored commit to the master branch or to update release tags to point to this compromised commit, thereby introducing the backdoor into the release.

Remediation

To address this vulnerability, it is recommended to modify the workflow to only include necessary files in the artifact, avoiding the inclusion of environment variables or the .git/config file.