Legit Security discovers GitHub privilege escalation
TEL AVIV, Israel, April 12, 2022 (GLOBE NEWSWIRE) — Legit Security, a cybersecurity company with an enterprise SaaS platform to secure an organization’s software supply chain, today announced the responsible disclosure of privilege escalation vulnerabilities in the GitHub-Actions pipeline recently discoveries. These vulnerabilities open the door to software supply chain attacks where an attacker could take control of an organization’s software creation process to disrupt internal operations or embed attacker-controlled code or backdoors. in software that puts downstream customers at risk. Earlier this year, Legit Security announced a Rapid risk assessment for organizations to gain immediate insight into broader vulnerabilities in their software supply chain, including this most recent issue. In response to this specific GitHub issue, Legit Security has posted a technical disclosure blog on their website which includes detailed guidance for organizations to address it.
The vulnerabilities were discovered in GitHub-Actions Workflows, which is the extremely popular GitHub source code management system’s software authoring service at the heart of many organizations’ software supply chains and used by software developers. software in the world. GitHub is primarily used for software version control, management of user changes to source code, and software build instructions – which is the functionality that can be exploited with these newly discovered vulnerabilities. The challenge of securing software supply chains, including the pipelines, systems, code, and people within them, has received heightened visibility and prominence due to several recent high-profile attacks. Legit Security has developed a security platform specifically designed to protect the end-to-end software supply chain environment to meet this growing need.
“Our mission and purpose in creating Legit Security is to help protect organizations against software supply chain attacks,” said Liav Caspi, CTO and co-founder of Legit Security. “The threat landscape is constantly changing and our in-house security researchers continuously track industry-wide security best practices, including researching new threats. We actively contribute to the wider cybersecurity community to improve resilience against these damaging attacks, and also incorporate these findings and security best practices as hundreds of enforceable security policies within our Legit Security Platform.
According to Gartner®45% of organizations worldwide will have suffered attacks on their software supply chains by 2025, a threefold increase from 2021. Breaches or takeovers by cybercriminals of the supply chain in an organization’s software have resulted in many high-profile cyberattacks over the years, including SolarWinds, Codecov, Kaseya, NotPetya, and others.
“Concerns about software supply chain resiliency have risen beyond IT security managers to corporate executives and boardrooms,” said Roni Fuchs, CEO of Legit Security. “Preventing attacks that can wreak havoc on internal operations, infiltrate an organization’s software, endanger customers, and disrupt entire digital business models deserves to be among their highest priorities. We pride ourselves on helping organizations with best practice guidance and also offering a security platform that not only addresses these vulnerabilities, but also enables organizations to do so effectively and at scale.
Legit Security previously shared the technical disclosure of this privilege escalation from the GitHub pipeline to GitHub. Legit Security’s internal security research team sampled very popular GitHub repositories rated with over 1000 stars and found many prone to this vulnerability. Legit Security contacted the affected sites directly, including a vendor with one of the world’s most popular open-source web server products used to power hundreds of millions of websites, and that vendor successfully remedied the vulnerability the next day.
For detailed information on how to protect your organization against this privilege escalation from the GitHub pipeline, please see the Legit Security Technical Disclosure Blog. If you would like a free, in-depth rapid risk assessment, please submit your request here.
About Legitimate Security
Legit Security protects software supply chains from attack by automatically discovering and securing pipelines, infrastructure, code, and people so businesses can stay secure while rapidly releasing software. Legit provides an easy-to-implement SaaS platform that supports cloud and on-premises resources and combines automated discovery and analysis capabilities with hundreds of security policies developed by industry experts with a real SDLC security experience. This integrated platform keeps your software factory secure and continuously ensures that your applications are released without vulnerabilities.