Full Report
We found three key attack vectors in OpenID Connect (OIDC) implementation and usage. Bad actors could exploit these to access restricted resources. The post OH-MY-DC: OIDC Misconfigurations in CI/CD appeared first on Unit 42.
Analysis Summary
# Vulnerability: OIDC Misconfigurations in CI/CD (Observed in CircleCI)
## CVE Details
- CVE ID: Not explicitly assigned in the provided text. (Focus is on misconfiguration classes)
- CVSS Score: Not explicitly defined. Based on description of potential access to restricted resources, severity is likely **High** or **Critical** depending on final impact.
- CWE: Potential CWEs include CWE-287 (Improper Authentication), CWE-613 (Improper Access Control), or configuration-specific CWEs related to OIDC/OAuth.
## Affected Systems
- Products: CircleCI OIDC Implementation (within their CI/CD environment). The findings highlight general risks applicable to any system using OIDC for identity federation in CI/CD.
- Versions: Not specified. The vulnerability is described as a result of problematic implementation patterns/misconfigurations.
- Configurations: Systems relying on OIDC for identity federation where:
1. Identity federation policies are loosely configured.
2. Reliance is placed on user-controllable claim values without strict validation.
3. Permissive identity federation is combined with Poisoned Pipeline Execution (PPE).
## Vulnerability Description
Researchers identified critical security risks arising from the implementation and usage of OpenID Connect (OIDC) within Continuous Integration and Continuous Deployment (CI/CD) environments, specifically noted in CircleCI's integration. The core issues stem from three vectors: using overly permissive policies for identity federation, failing to strictly validate claims controlled by users, and combining these flaws with the ability to execute arbitrary code via Poisoned Pipeline Execution (PPE). Successful exploitation could allow an attacker to leverage these weaknesses to gain unauthorized access to restricted resources via forged or manipulated OIDC tokens.
## Exploitation
- Status: Potential risk identified during research. No assertion that it is currently exploited in the wild, but the mechanism is described.
- Complexity: Likely **Medium**, as it requires understanding both OIDC flows and weaknesses like PPE within the specific CI/CD platform configuration.
- Attack Vector: Likely **Network** (if upstream identity provider is targeted) or **Adjacent/Local** (if an existing compromised pipeline execution environment is leveraged).
## Impact
- Confidentiality: **High** (Potential access to secrets/restricted resources).
- Integrity: **High** (Potential modification of deployment artifacts or CI/CD processes).
- Availability: **Medium** (Potential disruption of build pipelines).
## Remediation
### Patches
- CircleCI has reportedly addressed the specific implementation issues identified and provided recommendations. Organizations must apply specific updates/configurations recommended by CircleCI and other affected vendors.
### Workarounds
- Organizations are urged to:
1. Review and strengthen OIDC authorization policies used by identity federations.
2. Implement strict validation mechanisms for OIDC claim values to prevent reliance on user-controllable data.
3. Enhance overall CI/CD security practices, particularly defense against Poisoned Pipeline Execution (PPE).
## Detection
- Detection focuses on monitoring federated access patterns:
- Look for OIDC token requests or assumptions that use unexpected or user-supplied claim values.
- Monitor for processes attempting to assume roles or access resources with entitlements exceeding what is strictly necessary for the authenticated pipeline stage.
- Ensure runtime analysis tools are in place to detect PPE activity within build steps.
## References
- Vendor advisories from CircleCI concerning OIDC security improvements.
- Palo Alto Networks/Unit 42 research on OIDC in CI/CD.
- [Link to Unit 42 research on OH-MY-DC: OIDC Misconfigurations in CI/CD - DEFANGED]