Key Takeaways
1. A weakness in Gerrit could allow unauthorized code to enter important software projects without proper approval due to misconfigured permissions and review logic.
2. Attackers can bypass manual code reviews by using automated systems to inject unauthorized code directly.
3. At least 18 notable repositories, including Chromium and Dart, were identified as vulnerable to this issue.
4. Google has updated configurations to fix the vulnerability and advised other users of Gerrit to audit their permission settings.
5. No confirmed cases of exploitation have been reported, but the incident underscores the need for secure development practices in open-source projects.
A recently uncovered weakness in Gerrit, the open-source code review tool utilized by Google and several other entities, might have made it possible for unauthorized code to sneak into important software projects without the usual approval steps. Security experts at Tenable found that the issue arose from badly set permissions and incorrect review label logic. In some setups, attackers could take advantage of a feature called “addPatchSet” to alter changes that had already been approved, allowing them to insert harmful code without needing to initiate a re-review.
Automated Tools Bypass Reviews
Another report from CybersecurityAsia.net validated that attackers could skip manual review stages entirely and use automated systems to inject unauthorized code without any user involvement.
Vulnerable Repositories Identified
At least 18 notable repositories were marked as vulnerable, including those related to Chromium, Dart, Bazel, and other essential infrastructure components. This problem also included a race condition in the automated submission process, which permitted attackers to act within a short time frame before the code was merged.
As of the time the vulnerability was made public, no confirmed cases of exploitation had been seen in real-world scenarios. Tenable performed responsible testing with harmless code and did not execute a comprehensive end-to-end exploit of the vulnerability.
Steps Taken by Google
In response, Google has made configuration updates to address the issue. At the same time, Tenable has alerted other open-source projects that utilize Gerrit to check their configurations, as similar misconfigurations might be present in other places. They recommend that all Gerrit users conduct an audit of permission rules and label persistence policies to maintain code integrity. The underlying misconfigurations might also impact other organizations employing Gerrit, especially where default permission settings and automated code submission processes are utilized. This event highlights the continuing significance of secure development environments within the open-source ecosystem.
Source:
Link
Leave a Reply