This sophisticated technique allows attackers to escalate privileges by exploiting Remote Code Execution (RCE) vulnerabilities in CI/CD pipelines to obtain OIDC tokens that satisfy overly permissive federation requirements. By exploiting this initial vulnerability, they obtain OIDC tokens that can be used to access more sensitive resources protected by insufficiently specific federation policies. Palo Alto Networks researchers identified multiple security vulnerabilities in how organizations implement OIDC authentication for their CI/CD environments. Organizations can protect themselves by implementing repository-specific federation rules instead of organization-wide patterns, strictly validating claims (especially user-controllable ones), regularly auditing OIDC configurations, and following CI security best practices to prevent PPE vulnerabilities. Since CI/CD vendors automatically provide identity tokens to all runners, the security boundary relies heavily on properly configured identity federation policies. These attacks exploit misconfigurations in the OpenID Connect (OIDC) protocol implementation, allowing attackers to bypass traditional security controls and potentially access an organization’s most valuable assets. Their analysis revealed that while OIDC was designed to eliminate the need for storing sensitive credentials in CI/CD workflows, misconfigurations in its implementation could inadvertently create new attack vectors. Palo Alto Networks has updated its Infrastructure as Code (IaC) policies to detect these types of OIDC misconfigurations, alerting users when potentially exploitable configurations are identified. Cybersecurity experts have observed a concerning trend where sophisticated threat actors are increasingly targeting Continuous Integration/Continuous Deployment (CI/CD) pipelines to gain unauthorized access to sensitive cloud resources. Misconfigurations in these policies can allow attackers to obtain valid tokens that meet the requirements for accessing protected resources. OIDC extends the OAuth protocol by adding identity tokens that verify user identities for resource access. The most alarming attack vector identified combines Poisoned Pipeline Execution (PPE) with lax OIDC federation policies. In CI/CD environments, the protocol enables passwordless interaction between CI runners and protected resources, with the CI/CD vendor serving as the identity provider (IdP). Lax assertions in identity federation policies often include overly permissive conditions that validate claims which could be satisfied by multiple repositories or users.
This Cyber News was published on cybersecuritynews.com. Publication date: Tue, 08 Apr 2025 12:30:07 +0000