Harden-Runner 'disable-sudo' 策略规避

该漏洞的关键在于Harden-Runner通过移除运行器用户sudoers文件中的权限来实施disable-sudo策略。然而，由于运行器用户属于docker组，攻击者可以利用Docker守护进程来启动特权容器或访问主机文件系统。这使得攻击者能够绕过sudo限制，获得root权限，进而控制整个系统。攻击者可以利用此漏洞执行恶意代码、窃取敏感数据，甚至完全控制GitHub Actions运行器。

Organizations heavily reliant on GitHub Actions for CI/CD pipelines are at significant risk. Specifically, deployments utilizing older versions of Harden-Runner (0.12.0 - 2.11.9) and granting the runner user broad Docker group permissions are particularly vulnerable. Shared hosting environments where multiple users share a runner instance also face increased exposure.

• docker: Inspect Docker group membership for the runner user.

getent group docker | grep -q 'runner' && echo 'Potential Vulnerability: Runner user is in Docker group'

• docker: Monitor Docker daemon logs for unusual container creation or privilege escalation attempts. • generic web: Review GitHub Actions workflows for any suspicious commands or container configurations. • linux / server: Audit Docker daemon configuration for overly permissive settings. • windows / supply-chain: (Less relevant, but check for Docker Desktop installations on runner machines and their configurations.)

1. 2025-04-21Disclosure

   disclosure

1. 已保留2025-04-14
2. 发布日期2025-04-21
3. 修改日期2025-04-22
4. EPSS 更新日期2026-03-23

最有效的缓解措施是立即升级至Harden-Runner 2.12.0或更高版本，该版本修复了此漏洞。如果升级不可行，可以考虑以下临时缓解措施：限制运行器用户对Docker守护进程的访问权限，例如通过AppArmor或SELinux策略。此外，监控Docker容器的活动，以检测任何异常行为。升级后，请验证disable-sudo策略是否正常工作，确保运行器用户无法通过Docker守护进程获得root权限。