Legit Security Discovers GitHub Privilege Escalation Vulnerabilities and Warns Organizations of Potential Software Supply Chain Attacks

 Legit Security, a cyber security company with an enterprise SaaS platform to secure an organization’s software supply chain, announced the responsible disclosure of recently found GitHub-Actions pipeline privilege escalation vulnerabilities. These vulnerabilities open the door to software supply chain attacks where an attacker could take control of an organization’s software build process to disrupt internal operations or embed attacker-controlled code or backdoors in software that puts downstream customers at risk. Earlier this year, Legit Security announced a free Rapid Risk Assessment for organizations to obtain immediate insight into broader vulnerabilities across their software supply chain, including this most recent issue. In response to this specific GitHub issue, Legit Security has published a technical disclosure blog on their website which includes detailed guidance for organizations to remediate it.

Latest Aithority Insights : BPCL Collaborates With Microsoft To Leverage Cloud And AI To Redefine Customer Experience

The vulnerabilities were discovered in GitHub-Actions workflows, which is the software build service of the extremely popular GitHub source code management system at the heart of many organization’s software supply chains and used by software developers globally. GitHub is used primarily for software version control, management of user changes to source code, and software build instructions – which is the functionality that can be exploited with these newly discovered vulnerabilities. The challenge of securing software supply chains, including the pipelines, systems, code and people within it, has received greater visibility and importance due to several recent high-profile attacks. Legit Security has developed a purpose-built security platform to protect the end-to-end software supply chain environment to address this growing need.

“Our mission and purpose in creating Legit Security is to help protect organizations from software supply chain attacks,” said Liav Caspi, Chief Technical Officer and co-founder of Legit Security. “The threat landscape is constantly changing, and our in-house security researchers are continually tracking security best practices across the industry including searching for new threats. We’re actively contributing to the broader cybersecurity community to improve resilience against these damaging attacks, and also embed these findings and security best practices as hundreds of security policies enforceable within our Legit Security platform.”

According to Gartner, 45% of organizations worldwide will have experienced attacks on their software supply chains by 2025, a three-fold increase from 2021. Cybercriminal breaches or takeovers of an organization’s software supply chain have resulted in many high profile cyber-attacks over the years including SolarWinds, Codecov, Kaseya, NotPetya and others.

Browse The Complete News About Aithority: VMware Cross-Cloud Services Now Available in Microsoft Azure Marketplace

“Concerns about software supply chain resiliency have elevated beyond IT Security Leaders to business executives and the board room,” said Roni Fuchs, CEO of Legit Security. “Preventing attacks that can create havoc on internal operations, infiltrate an organization’s software, jeopardize customers, and disrupt entire digital business models deserve to be among their highest priorities. We’re proud to help organizations with best practice guidance and to also offer a security platform that not only addresses these vulnerabilities but also allows organizations to do so efficiently and at scale.”

Legit Security has previously shared the technical disclosure of this GitHub pipeline privilege escalation to GitHub. Legit Security’s internal security research team sampled very popular GitHub repositories rated with over 1000 stars and found many subject to this vulnerability. Legit Security has reached out directly to those affected sites, including a vendor with one of the world’s most popular open source web server products used to power hundreds of millions of websites, and that vendor was able to successfully remediate the vulnerability the next day.

Read More About Aithority News : Ermetic Announces New Cloud Security Research Organization

[To share your insights with us, please write to sghosh@martechseries.com]