Cloud Security, Supply chain, Application security

Two open-source projects vulnerable to ‘GitHub Environment Injection’

A Google logo is shown on a screen during a keynote address.
A Google logo is shown on a screen during a keynote address. (Photo by Ethan Miller/Getty Images)

The industry has officially come around to focusing on open source software vulnerabilities and wants to get more serious about protecting organizations from supply chain attacks.  

Just two days after Google announced the Open Source Software Vulnerability Rewards Program (OSS VRP) that offers bug bounties for open-source vulnerabilities, Legit Security on Thursday reported on software supply chain attack vulnerabilities in open-source projects from Google and Apache.

Legit Security said they didn’t hold back their news release in coordination with Google’s bug bounty announcement earlier this week.

“Google was responsive and fixed in a day,” said Derick Townsend, a vice president at Legit Security.  “We were probably part of their beta on this, but as far as the timing of the two announcements, it was purely coincidental.”

In a blog post, Legit Security researchers said they found a new type of CI/CD vulnerability called “GitHub Environment Injection” that lets attackers take control of the vulnerable project's GitHub Actions CI/CD pipeline. The researchers said any GitHub user could exploit this vulnerability to modify the project’s source code, steal secrets, move laterally and attack inside the organization, and ultimately initiate a SolarWinds-like supply chain attack. 

Legit Security said the vulnerability was found in the Google Firebase project and in a very popular integration framework project from Apache. Both Google and Apache acknowledged and fixed the vulnerabilities after an initial disclosure by Legit Security.

It sounds like Legit Security executed an ethical disclosure process, ensuring that patches were available before the vulnerabilities were publicized, said Philip Odence, general manager of the Black Duck Audit Business at Synopsys Software Integrity Group.

“These cases are good reminders that while relying on open source is a practical necessity in software development today, companies that do so much to be mindful of security and to manage accordingly with best practice processes and tools,” Odence said.

Open-source software offers great benefits by letting the eyes of many developers review the code, said Ryan Kennedy, cybersecurity consultant at nVisium. Kennedy said by launching its new OSS VRP bug bounty program, Google has invited security researchers from the bug bounty community to review OSS.

“Google is leveraging their experience with running bug bounty programs to help secure the greater open-source ecosystem, which will hopefully incentivize further security research into OSS,” Kennedy said. “Overall, this is a positive for OSS and supply security by providing additional incentives to perform good-faith security research in these areas.”

Casey Bisson, head of product and developer enablement at BluBracket, added that securing open source has become critical to powering the global economy, and in some cases it has real-life safety implications. Bisson said the real trend we see is the long shift from building everything in-house to using off-the shelf components.

“Today, that means a combination of cloud services and open-source software,” Bisson explained. “That trend has been the foundation of the incredible growth in software we’ve seen, and the scale of that growth is what’s behind the supply chain complexity we’re seeing now. We do see some banner vulnerabilities in open source, but the shift to open source is a great boon for improving security. All software has some bugs and security vulnerabilities, but the additional eyes on open source help identify and fix those risks more quickly and effectively than in closed source solutions.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.