Legit Security, a cyber security company with an Application Security Posture Management platform that helps organizations deliver fast and secure software releases, today announced that it discovered Continuous Integration/Continuous Delivery (CI/CD) security vulnerabilities in open-source projects from Google. The Legit Security Research Team found a vulnerability leveraging "GitHub environment injection" that allows attackers to take control of a vulnerable project's GitHub Actions CI/CD pipeline. In this case, any GitHub user could exploit the vulnerability found in the Google Orbit project to modify the project's source code, steal secrets, move laterally inside an organization and ultimately initiate a SolarWinds-like software supply chain attack. Google acknowledged and fixed the vulnerabilities after disclosure by Legit Security. For an in-depth description of the vulnerability and information on how to protect your organization, please visit the technical disclosure blog.
GitHub Actions is part of the extremely popular GitHub source code management system at the heart of many organization's software supply chains and used by software developers globally. The recently discovered vulnerability relates to GitHub's special environment variables file called "GITHUB_ENV", which is used to control the pipeline container's environment variables. The vulnerable project had a GitHub Actions workflow that wrote untrusted user input into the GITHUB_ENV file.
Legit Security's Research Team discovered that a specially crafted payload written to this file could allow an attacker to execute code on the target pipeline and thereby modify the source code or compromise the repository itself. This attack can be initiated by any GitHub user and is very easy to implement just by creating a pull request. The simple act of submitting the request will trigger the vulnerable build action and carry out a successful compromise. The attacker does not need a code review approval from the maintainer since the vulnerable build action is running on the pull request before the code is merged.
The Legit team disclosed these issues via Google's vulnerability disclosure program, along with remediation guidelines, and verified that these vulnerabilities weren't exploited by a malicious actor. The Google project vulnerability was remediated quickly and is now safe.
Unfortunately, there are many other projects using GitHub Actions that are susceptible to this same attack. Since using the GITHUB_ENV file is currently the widely accepted way to change environment variables in GitHub Actions, many repositories are using workflows that write untrusted data into this file, leaving them exposed these potential supply chain attacks.
This type of vulnerability joins a large number of other disclosed vulnerabilities and successful supply chain attacks targeting popular open-source libraries. The Legit Security Research Team has previously discovered a wide range of vulnerabilities in popular Source Code Management systems including GitHub, as well as other Software Development Lifecycle Management (SDLC) systems and infrastructure commonly found in an organization's software supply chain.
About Legit Security
Legit Security provides application security posture management to ensure secure application delivery, governance and risk management from code to cloud. The platform's unified application security control plane and automated SDLC discovery and analysis capabilities provide visibility and security control over rapidly changing environments and allow security issues to be prioritized based on context and business criticality to improve security team efficiency and effectiveness.