Harden-Runner CI/CD Security Agent Disable-Sudo Bypass Vulnerability

A vulnerability exists in Harden-Runner, a CI/CD security agent for GitHub Actions runners, in versions 0.12.0 prior to 2.12.0. The issue involves a bypass of the 'disable-sudo' policy, which is intended to prevent the runner user from using sudo by removing them from the sudoers file. However, the runner user can exploit their membership in the docker group to interact with the Docker daemon, launching privileged containers or accessing the host filesystem. This capability allows the user to regain root access or restore the sudoers file, circumventing the intended restriction. The vulnerability can be exploited if the attacker can execute malicious code on the runner, such as through a supply chain attack or a Pwn Request vulnerability.

Impact

Exploitation of this vulnerability allows for unauthorized privilege escalation to root, bypassing the intended security control of the 'disable-sudo' policy.

Remediation

Users should update to Harden-Runner version 2.12.0 or later and migrate to the 'disable-sudo-and-containers' policy, which disables sudo access, removes access to Docker and containerd sockets, and uninstalls Docker from the runner. This update prevents container-based privilege escalation. The 'disable-sudo' option will be deprecated in the future, as it does not adequately restrict privilege escalation on its own.