Vulnerabilities were discovered in misconfigured GitHub Actions workflows, which can impact millions of potential victims. ("GitHub Office" by DASPRiD is marked with CC BY 2.0.)

Researchers on Friday discovered critical vulnerabilities in several popular open-projects, each of which can cause a supply chain attack through the continuous integration (CI) process.

In a blog post, Cycode researchers reported that they found the vulnerabilities in misconfigured GitHub Actions workflows, which can impact millions of potential victims. According to the researchers, the workflows were missing proper input sanitizing, which can allow malicious actors to inject code into the builds through issues and comments as well as to access privileged tokens.

Of the dozens of vulnerable repositories they found the most popular were the following: Liquibase, Dynamo BIM, FaunaDB, Wire, Astro, Kogito, and Ombi.

While Log4j was the vulnerability that got everyone’s attention and made national news over the past several months, more than 4,000 high-severity vulnerabilities were announced in 2021, said Ratan Tipirneni, president and CEO at Tigera. Tipirneni said the recent Cycode discovery of critical vulnerabilities in several popular open-source projects further demonstrates that as the pace of innovation combined with the use of open-source libraries increases, we will continue to see an increase in vulnerabilities and threats.

“This is an ominous sign for the highly constrained security and DevOps teams,” Tipirneni said. “It’s nearly impossible for any DevOps or security team to keep up with attackers. To close the security gap, businesses will need to bring the principles of zero-trust and defense-in-depth to the entire CI/CD pipeline to actively mitigate risks with a combination of preventive measures and active defense.

Casey Bisson, head of product and developer relations at BluBracket, added that we know that open source has become a critical component in virtually all modern applications and that targeting these upstream projects is a way to quickly compromise the software supply chain. However, Bisson said too often, people view the code supply chain exclusively in terms of dependency risks, with too little attention on securing the pipeline from developer to deploy in their own environments.
 

“Our research shows most Git and CI/CD access and configuration vulnerabilities are accidental, but companies lack tools to monitor or guide them on best practices,” Bisson said. “Companies in every industry are seeing a growing need to implement early and automate scanning of code and access throughout the software development workflow to identify and remediate risks at the source and before they propagate down the software supply chain.”