Legit Security Discovers GitHub Privilege Escalation Vulnerabilities and Warns Organizations of Potential Software Supply Chain Attacks

TEL AVIV, Israel, April 12, 2022 (GLOBE NEWSWIRE) -- Legit Security, a cyber security company with an enterprise SaaS platform to secure an organization’s software supply chain, today announced the responsible disclosure of recently found GitHub-Actions pipeline privilege escalation vulnerabilities. These vulnerabilities open the door to software supply chain attacks where an attacker could take control of an organization’s software build process to disrupt internal operations or embed attacker-controlled code or backdoors in software that puts downstream customers at risk. Earlier this year, Legit Security announced a free Rapid Risk Assessment for organizations to obtain immediate insight into broader vulnerabilities across their software supply chain, including this most recent issue. In response to this specific GitHub issue, Legit Security has published a technical disclosure blog on their website which includes detailed guidance for organizations to remediate it.

The vulnerabilities were discovered in GitHub-Actions workflows, which is the software build service of the extremely popular GitHub source code management system at the heart of many organization’s software supply chains and used by software developers globally. GitHub is used primarily for software version control, management of user changes to source code, and software build instructions - which is the functionality that can be exploited with these newly discovered vulnerabilities. The challenge of securing software supply chains, including the pipelines, systems, code and people within it, has received greater visibility and importance due to several recent high-profile attacks. Legit Security has developed a purpose-built security platform to protect the end-to-end software supply chain environment to address this growing need.

“Our mission and purpose in creating Legit Security is to help protect organizations from software supply chain attacks,” said Liav Caspi, Chief Technical Officer and co-founder of Legit Security. “The threat landscape is constantly changing, and our in-house security researchers are continually tracking security best practices across the industry including searching for new threats. We’re actively contributing to the broader cybersecurity community to improve resilience against these damaging attacks, and also embed these findings and security best practices as hundreds of security policies enforceable within our Legit Security platform.”

According to Gartner®, 45% of organizations worldwide will have experienced attacks on their software supply chains by 2025, a three-fold increase from 2021. Cybercriminal breaches or takeovers of an organization’s software supply chain have resulted in many high profile cyber-attacks over the years including SolarWinds, Codecov, Kaseya, NotPetya and others.

“Concerns about software supply chain resiliency have elevated beyond IT Security Leaders to business executives and the board room,” said Roni Fuchs, CEO of Legit Security. “Preventing attacks that can create havoc on internal operations, infiltrate an organization’s software, jeopardize customers, and disrupt entire digital business models deserve to be among their highest priorities. We’re proud to help organizations with best practice guidance and to also offer a security platform that not only addresses these vulnerabilities but also allows organizations to do so efficiently and at scale.”

Legit Security has previously shared the technical disclosure of this GitHub pipeline privilege escalation to GitHub. Legit Security’s internal security research team sampled very popular GitHub repositories rated with over 1000 stars and found many subject to this vulnerability. Legit Security has reached out directly to those affected sites, including a vendor with one of the world’s most popular open source web server products used to power hundreds of millions of websites, and that vendor was able to successfully remediate the vulnerability the next day.

For detailed information on how to protect your organization from this GitHub pipeline privilege escalation, please visit Legit Security’s technical disclosure blog. If you are interested in obtaining a thorough, no-cost Rapid Risk Assessment please submit your request here.

About Legit Security
Legit Security protects software supply chains from attack by automatically discovering and securing the pipelines, infrastructure, code and people so that businesses can stay safe while releasing software fast. Legit provides an easy to implement SaaS platform that supports both cloud and on-premises resources and combines automated discovery and analysis capabilities with hundreds of security policies developed by industry experts with real-world SDLC security experience. This integrated platform keeps your software factory secure and provides continuous assurance that your applications are released without vulnerabilities.

Media Contact
Tony Keller