SSB-2023-001 - Risk of abuse of Automatic Review Apps feature
A design flaw in our “Review Apps” feature may have allowed malicious actors to affect integrity, availability or confidentiality of hosted Scalingo applications when linked to an public GitHub or Gitlab code repository.
The affected code has been corrected, the potentially impacted customers have been informed with an individual message.
We advise all our customers to:
- only enable Review Apps on non-production applications
- carefully configure their Software Configuration Management systems (GitHub, Gitlab) and to regularly audit their access rights and to enable all possible access controls.
On 23/01/2023, a Scalingo customer asked us on our support chat about a possible attack scenario linked to our “Review Apps” feature.
After a first assessment, a vulnerability has been identified and change in the product were planned to be developed. A few days later, an internal discussion led to a second analysis to re-evaluate the risk.
This analysis gave us a CVSS Score of 8.0 (8.0/7.4/7.5), and because the consequences could potentially be major for Scalingo internal data, hosted customer personal or health information, our process imposed us to trigger a Security Incident.
We opened a “virtual war room”, simultaneously listing the impacted customers, analyzing the threat scenarios, and devising the appropriate product and documentation changes on the short and long term.
The vulnerability is present in the code since the introduction of the feature: 17/11/2016
The conditions were the following:
- having enabled “Automatic Review Apps”
- having a public repository allowing forks
An attacker could then craft a fork of a public GitHub or Gitlab application where they could dump the environment variables and thus access external credentials of potential sensible resources.
Furthermore, they could also craft a
scalingo.json file to access the main databases and thus access potential personal information.
Note: we already assessed in our analysis that no HDS applications were impacted by this vulnerability.
- 2023-01-23 Customer report
- 2023-01-23 First analysis
- 2023-01-30 Reassessment and opening of a Security Incident
- 2023-01-30 Incident Response Team: Query our internal database to list at-risk applications
- 2023-01-30 Incident Response Team: Run a maintenance script to disable Automatic Review Apps feature for at-risk applications
- 2023-01-30 Incident Response Team: Ensure that no Scalingo credentials were leaked and that no internal data was accessed due to this vulnerability
- 2023-01-31 Product/Engineering: From now on, automatic creation of Review Apps has been disabled when the Pull Request / Merge Request is based on a branch coming from a forked repository.
- 2023-01-31 Product/Engineering: Update the “Review Apps” configuration page to add corresponding warnings
- 2023-01-31 Product/Engineering: Update the documentation
- 2023-01-31 Incident Response Team: Re-enable Automatic Review Apps Creation for the previously modified applications
- 2023-01-31 Incident Response Team: Publish a Security Bulletin describing the incident
- 2023-01-31 Incident Response Team: Communicate with the owners and collaborators of at-risk applications
What you should do
Use GitHub and Gitlab documentation to review PRs coming from untrusted users
What we will do in the future
- Continue to update the Security Bulletin
- Improve Vulnerability analysis process
- Implement more fine grained Review Apps control settings
Successful exploitation could lead to leak of credentials to external or internal data sources potentially including Personally Identifiable Information (access to databases, external APIs…)
Scalingo DBaaS addons
Database addons credentials could be leaked by a successful exploitation of the vulnerability.
Other Scalingo addons and services
2023-01-31 First version