Legit Security Uncovers Remote Code Execution Vulnerability in Microsoft’s Azure Pipelines, Posing Serious Risks to Software Supply Chains

 Legit Security, a cyber security company with an enterprise platform that protects software delivery from code to cloud, including the software supply chain .announced that it has uncovered a remote code execution vulnerability in Microsoft’s Azure Pipelines. The vulnerability allows attackers to exploit Microsoft’s Azure DevOps Servers to initiate software supply chain attacks and execute malicious code that can compromise the security and integrity of an organization’s software products. Given the widespread use of Azure Pipelines in software development, this vulnerability poses a significant risk to businesses that rely on the service to deliver their software. Legit Security worked closely with Microsoft to disclose and remediate the vulnerability and information on how to mitigate the risks can be found on Legit Security’s technical disclosure blog.

Recommended AI: GoodFirms Unlocks the Best Task Management Software with Rich Features

The remote code execution vulnerability discovered by Legit Security has received designation CVE-2023-21553 and affects Azure Pipelines, a very popular continuous integration and continuous delivery (CI/CD) service from Microsoft. Software build systems such as Azure Pipelines are the foundation of the software development process and are responsible for creating and compiling code into software products and automating their release. Vulnerabilities within the build system are very dangerous since attackers can inject malicious code and infect the resulting software products delivered downstream to customers.

The discovered vulnerability originates in the logging commands mechanism of Azure Pipelines and enables attackers to execute code that could directly compromise the security and integrity of downstream software. Attackers could also leverage this vulnerability to access sensitive secrets contained within the software pipeline, such as passwords to sensitive resources and access keys to cloud services, to initiate lateral attacks and further compromise an organization. As a result, this vulnerability could have devastating consequences if left unaddressed for businesses that rely on Azure Pipelines to build and deploy their software.

“Software build pipelines are a critical part of the software supply chain, and vulnerabilities within them can enable malicious code injection and code tampering similar to the notorious SolarWinds attack,” said Liav Caspi, CTO and co-founder of Legit Security. “Software producers need to be vigilant in protecting their software supply chains, which includes securing build pipelines and addressing vulnerabilities such as the one we discovered in Microsoft’s Azure Pipelines.”

Recommended AI: aelf Announces the form of aelf DAO, Enhancing Decentralization of Governance and Ecosystem Growth

Legit Security worked closely with Microsoft to address the vulnerability, and a patch has been released to mitigate the risk. Users with an out-of-date version of Azure DevOps Server could remain vulnerable, and users of the on-prem version (ADO Server version 2020.1.2 or lower) should apply the patch as soon as possible. It should be noted that not every pipeline in Azure Pipelines is vulnerable, depending upon the logging command features and patterns used. Organizations using Azure Pipelines are strongly encouraged to review Legit Security’s technical disclosure blog to determine if they are affected and to mitigate the risks.

Recommended AI: Adelante Enhances Capabilities with Zendesk Setup Solution

[To share your insights with us, please write to sghosh@martechseries.com]