Two open source projects vulnerable to ‘GitHub Environment Injection’
The industry has officially focused on open source software vulnerabilities and wants to take protecting organizations from supply chain attacks more seriously.
Just two days after Google announced the Open Source Software Vulnerability Rewards (OSS VRP) program that offers bug rewards for open source vulnerabilities, Legit Security reported software supply chain attack vulnerabilities in projects on Thursday. open source from Google and Apache.
Legit Security said it did not hold back its press release in coordination with Google’s bug bounty announcement earlier this week.
“Google was responsive and fixed within a day,” said Derick Townsend, vice president of Legit Security. “We were probably part of their beta on this, but as far as the timing of the two announcements, it was pure coincidence.”
In a blog post, Legit Security researchers said they found a new type of CI/CD vulnerability called “GitHub Environment Injection” that allows attackers to take control of the vulnerable project’s GitHub Actions CI/CD pipeline. Researchers said any GitHub user could exploit this vulnerability to modify project source code, steal secrets, move laterally and attack inside the organization, and ultimately launch a supply chain attack. of the SolarWinds type.
Legit Security said the vulnerability was found in Google’s Firebase project and a very popular Apache integration framework project. Google and Apache acknowledged and patched the vulnerabilities after an initial disclosure by Legit Security.
It appears Legit Security ran an ethical disclosure process, ensuring patches were available before vulnerabilities were made public, said Philip Odence, managing director of Black Duck Audit Business at Synopsys Software Integrity Group.
“These cases are good reminders that while relying on open source is a practical necessity in software development today, the companies that go to great lengths to be security-conscious and manage accordingly with best practice processes and tools,” Odence said.
Open-source software offers great benefits by letting many developers’ eyes examine the code, said Ryan Kennedy, cybersecurity consultant at nVisium. Kennedy said that in launching its new OSS VRP bug bounty program, Google invited security researchers from the bug bounty community to review OSS.
“Google is leveraging its experience running bug bounty programs to help secure the largest open source ecosystem, which will hopefully spur further security research in the OSS,” said said Kennedy. “Overall, this is a benefit to OSS and security of supply by providing additional incentives to conduct good faith security research in these areas.”
Casey Bisson, Head of Product and Developer Enablement at BluBracket, added that securing open source has become critical to fueling the global economy, and in some cases it has real-world security implications. . Bisson said the real trend we’re seeing is the long shift from building everything in-house to using off-the-shelf components.
“Today, that means a combination of cloud services and open source software,” Bisson explained. “This trend has been driving the incredible software growth we’ve seen, and the magnitude of that growth is driving the supply chain complexity we’re seeing today. We see a few banner vulnerabilities in open source, but moving to open source is a boon to improving security. All software has bugs and security vulnerabilities, but the extra eyes on open source help identify and fix those risks faster and more efficiently than in closed-source solutions.