CI/CD Pipelines: A Prime Target for Threat Actors Seeking Access to Confidential Assets

OpenID Connect (OIDC), an extension of the OAuth protocol, is increasingly becoming the backbone of authentication and authorization workflows in cloud environments.

Its integration within Continuous Integration and Continuous Deployment (CI/CD) pipelines has introduced significant advancements in securing ephemeral CI runners without relying on traditional password authentication.

By issuing identity tokens for resource access, OIDC aims to minimize credential leaks and streamline authentication processes in dynamic environments.

However, Palo Alto Networks’ Unit 42 research reveals alarming vulnerabilities within OIDC implementations in CI/CD systems, including configurations utilized by major platforms like CircleCI.

These vulnerabilities highlight how misconfigurations can provide entry points for attackers to exploit sensitive resources, emphasizing the need for organizations to reassess their CI/CD security practices.

The Security Risks of OIDC in CI/CD Pipelines

Unit 42 researchers identified three critical threat vectors in OIDC implementations that jeopardize security in CI/CD environments:

1. Loosely Configured Identity Federation Policies: Misconfigured policies that fail to enforce stringent validation on OIDC token claims can inadvertently permit unauthorized access to sensitive systems. This often manifests in permissive configurations, such as accepting overly general sub or aud claim values, which fail to adequately differentiate legitimate users from malicious actors.
2. User-Controlled Claim Values: Some OIDC configurations rely on claims generated from user-controlled inputs, such as branch names or workflow filenames. While valid claims are signed by Identity Providers (IdPs), their values can be manipulated to bypass security checks, effectively allowing users to “write their own permissions.”
3. Poisoned Pipeline Execution (PPE) in Permissive Identity Federations: PPE vulnerabilities can be leveraged to escalate privileges within CI/CD systems. Exploiting a vulnerable CI pipeline allows attackers to obtain fraudulent OIDC tokens that meet lax federation policies, granting unauthorized access to high-value resources.

These findings underscore how misconfigurations in both authentication and authorization phases of OIDC can compromise the integrity of CI/CD systems, giving attackers access to critical assets.

Real-World Implications and Vendor Responses

CircleCI’s initial OIDC implementation inadvertently exposed risks tied to forked pull requests.

Tokens generated during these workflows could authenticate external users, granting access to resources configured to trust those tokens.

Upon receiving Unit 42’s findings, CircleCI promptly adjusted its system to disable OIDC token generation in fork workflows by default, mitigating the vulnerability and empowering customers to implement granular access controls.

The dual role of CI vendors as both runner provisioners and IdPs introduces unique security considerations.

Any customer of the same vendor can obtain machine-identity tokens signed by the vendor, automatically satisfying authentication requirements.

This makes stringent authorization policies critical to preventing unauthorized access and ensuring security boundaries are preserved.

To address these vulnerabilities, Unit 42 emphasizes the importance of adopting stringent security measures:

• Granular Policies: Configure identity federation rules to focus on repository-specific patterns, avoiding organization-wide configurations that increase exposure risk.
• Strict Validation: Implement claim validation to safeguard against user-manipulated claims. Avoid relying on claims derived from user-controlled inputs for critical security decisions.
• Continuous Auditing: Regularly review OIDC configurations, focusing on federation policies, custom claims, and privilege escalation risks.
• CI Security Best Practices: Harden CI/CD pipelines against PPE vulnerabilities through defense-in-depth strategies and careful runtime monitoring.

Palo Alto Networks has incorporated these insights into its cloud security offerings.

The Infrastructure as Code (IaC) scanner in Prisma Cloud now detects vulnerable OIDC configurations, enabling automated protections against potential breaches.

As OIDC continues to gain traction, organizations must remain vigilant to its risks in CI/CD pipelines.

Despite its promise of secure and seamless authentication, lax configurations can undermine security efforts, leaving organizations exposed.

Unit 42 recommends a multi-layered approach to security, combining vendor-specific mitigation strategies with robust identity federation policies.

For organizations suspecting compromise, the Unit 42 Incident Response team remains available for support.

This research serves as a wake-up call for enterprises to proactively address vulnerabilities in their CI/CD workflows, ensuring that the adoption of OIDC strengthens not weakens their security posture.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates