Legit Security Uncovers Remote Code Execution Vulnerability in Microsoft’s Azure Pipelines, Posing Serious Risks to Software Supply Chains

TEL AVIV, Israel, April 04, 2023 (GLOBE NEWSWIRE) -- Legit Security, a cyber security company with an enterprise platform that protects software delivery from code to cloud, including the software supply chain, today announced that it has uncovered a remote code execution vulnerability in Microsoft’s Azure Pipelines. The vulnerability allows attackers to exploit Microsoft’s Azure DevOps Servers to initiate software supply chain attacks and execute malicious code that can compromise the security and integrity of an organization’s software products. Given the widespread use of Azure Pipelines in software development, this vulnerability poses a significant risk to businesses that rely on the service to deliver their software. Legit Security worked closely with Microsoft to disclose and remediate the vulnerability and information on how to mitigate the risks can be found on Legit Security’s technical disclosure blog.

The remote code execution vulnerability discovered by Legit Security has received designation CVE-2023-21553 and affects Azure Pipelines, a very popular continuous integration and continuous delivery (CI/CD) service from Microsoft. Software build systems such as Azure Pipelines are the foundation of the software development process and are responsible for creating and compiling code into software products and automating their release. Vulnerabilities within the build system are very dangerous since attackers can inject malicious code and infect the resulting software products delivered downstream to customers.

The discovered vulnerability originates in the logging commands mechanism of Azure Pipelines and enables attackers to execute code that could directly compromise the security and integrity of downstream software. Attackers could also leverage this vulnerability to access sensitive secrets contained within the software pipeline, such as passwords to sensitive resources and access keys to cloud services, to initiate lateral attacks and further compromise an organization. As a result, this vulnerability could have devastating consequences if left unaddressed for businesses that rely on Azure Pipelines to build and deploy their software.

“Software build pipelines are a critical part of the software supply chain, and vulnerabilities within them can enable malicious code injection and code tampering similar to the notorious SolarWinds attack,” said Liav Caspi, CTO and co-founder of Legit Security. “Software producers need to be vigilant in protecting their software supply chains, which includes securing build pipelines and addressing vulnerabilities such as the one we discovered in Microsoft’s Azure Pipelines.”

Legit Security worked closely with Microsoft to address the vulnerability, and a patch has been released to mitigate the risk. Users with an out-of-date version of Azure DevOps Server could remain vulnerable, and users of the on-prem version (ADO Server version 2020.1.2 or lower) should apply the patch as soon as possible. It should be noted that not every pipeline in Azure Pipelines is vulnerable, depending upon the logging command features and patterns used. Organizations using Azure Pipelines are strongly encouraged to review Legit Security’s technical disclosure blog to determine if they are affected and to mitigate the risks.

Legit Security

Legit Security protects an organization's software supply chain from attack and ensures secure application delivery, governance and risk management from code to cloud. The platform’s unified application security control plane and automated SDLC discovery and analysis capabilities provide visibility and security control over rapidly changing environments, and allow security issues to be prioritized based on context and business criticality to improve security team efficiency and effectiveness.


Contact Data