This Week in Software Supply Chain Security: April 11 - April 17, 2024
There was a security conference this week...
Welcome to This Week in Supply Chain Security, your essential weekly resource for the latest developments in software supply chain security. Each week, we bring you critical insights and updates to help you stay ahead in safeguarding your software supply chain. Brought to you by the open source security experts at Stacklok.
đ¨ Recent Security Incidents
A selection of the most impactful security breaches or threats in supply chains
XZ Copycats
OpenJS and the OpenSSF have issued an alert that several other projects in the JavaScript ecosystem have been targeted by social engineering attacks attempting to add additional maintainers. The attacks have looked similar to the beginning of the XZ compromise: new, unknown accounts volunteering to help with maintenance of projects, bolstered by multiple other accounts requesting immediate action. The alert includes a list of suspicious patterns to watch for in social engineering takeovers, including âFriendly yet aggressive and persistent pursuit of maintainer by unknown membersâ and cautions around sock puppets.
PuTTY Vulnerability Can Leak Secret Keys Through Git Signing
The PuTTY project announced a CVE on Monday that can lead to the compromise (recovery) of NIST P-521 secret keys based on as few as 60 signatures. If youâve used an ECDSA key with PuTTY, TortoiseGit, the Pageant SSH agent or other software that embeds PuTTY, you should consider those keys compromised. The vulnerability is due to a weakness in the ECDSA nonce used for signatures, so signed git commits can be used to recover the key and use it in the future. You can update and reset your stored GitHub SSH keys if youâve been afected.
Persistent Runners Compromised⌠but no vulnerability payout
John Stawinski shares the story of how he and Adnan Khan leveraged a persistent, self-hosted GitHub Actions runner to compromise a server attached to Microsoftâs main Active Directory Domain. By submitting a small typo-fix PR, they became authorized to run actions on the GitHub runner, and leveraged that access to pivot to the machine in question. They reported the issue to Microsoft, who fixed the issue. Unfortunately, the project they compromised wasnât in MSRCâs bug bounty program, so they werenât eligible for a vulnerability payout..
Urgent Credential Rotation
CISA issued a warning last week for customers to rotate any credentials stored with Sisense, and report any suspicious activity involving those credentials to the government. Itâs unclear exactly what the compromise was, but this appears to be a supply chain attack against a data analytics service provider to leverage harvested credentials for use elsewhere.
Missed CVE Report Introduced Vulnerability for 6 Years
Binarly reports on how a vulnerability in the low-level server management control systems of Lenovo, Intel, and others persisted for 6 years. In this case, the vulnerability was due to a security fix in lighttpd
which was not consumed by the AMI system firmware because the fix was not assigned a CVE. Because the servers have reached end-of-life status, the vendors have declined to fix the bug, and any continuing users will be vulnerable for years to come.
Itâs SEO⌠for Malware On GitHub
Checkmarx reported on a malware campaign attempting to game GitHub search results with popular names, star-stuffing and frequent (automated) updates, in an attempt to rank highly on GitHub search. Once cloned locally, the projects included malicious Visual Studio project files which would download malware targeting cryptocurrency wallets. The malware would also persist by setting itself as a 4am scheduled task. Be careful when cloning new repos, folks!
đĄ Free Tools and Tips
New open-source and free (as in beer) supply chain security news
Minder Cloud â Free For Public Repos
Stacklok (my employer and the sponsor of this newsletter) announced public availability of Minder Cloud (alpha) â a software security platform for securing GitHub repositories, workflows and artifacts. Minder Cloud is a hosted version of the Minder open-source project, and is free for public GitHub repositories. Minder provides tools to ensure consistent configuration across GitHub orgs, and includes out-of-the-box policy recommendations as well as a configuration and policy language for advanced users to write their own rules. In addition to flagging policy violations, Minder includes the ability to automatically remediate problems via pull requests or the GitHub API.
Short-Term Tokens for GitHub Management
Chainguard built and released Octo STS (not to be confused with Okta) to reduce their long-term credentials sprawl against GitHub. Octo provides a service which vends short-lived tokens to tools that need to manage GitHub once the tools prove their identity (e.g. GCP service account, AWS role, etc) to the Octo service. Octo itself is built on a GitHub App, and that App does need one long-term secret in the form of a private key. Still, centralizing all the short-term tokens in one place simplifies audit, management, and rotation.
A Tasty (or Messy) Tool For Checking Your Build Pipelines
Boost Security announced poutine
, a tool for scanning build pipelines which includes GitHub Actions, GitLab pipelines, Docker containers, and several others. Theyâve also release a CTF exercise in the form of MessyPoutine, which includes a number of the vulnerable pipelines, so you can see how these vulnerabilities play out in practice.
Proof of Diligence
Stacklok (yep, my employer and this newsletterâs sponsor) has implemented a package scoring algorithm called âProof-of-Diligenceâ. Rather than specifying a set of SAST or other repo rules, it aims to model the trust relationships between contributors and repos (like PageRank does between pages and links) to propagate trust scores between different participants. Itâs currently in a private beta, so youâll need to sign up to browse the graph, but the paper is free and the service will be publicly-available when complete.
đ Community and Public Sector Updates
SPDX 3.0 Released
The Linux Foundation announced the release of version 3 of the SPDX Software Bill of Materials (SBOM) format at Open Source Summity NA this week. For those of you living under a supply chain rock, SBOMs provide a catalog of the software libraries and tools used to compose a released artifact like a library or application. SPDX 3.0 introduces support for profiles, which allow tailoring the format to applications like security, attestation, licensing, AI model training, and data set provenance. The standard is freely available and aims to provide a common interchange format for a wide variety of tools.
So What Do I Do With These SBOMs?
Also on Tuesday, the OpenSSF, CISA, and DHS announced the launch of Protobom, a protocol buffers representation of SBOM data which can be used to ingest both SPDX and CycloneDX data, and can be used by applications which need to ingest SBOM data to interchange between the two formats. As protobom supports both input parsers and output serializers, it can be used to generate and consume data in either format.
Supply Chain Security in the State of DevOps
While Datadogâs State of DevOps report is mostly focused on deploying software, it includes several interesting statistics on supply chain security: 90% of Java services contain at least one critical or high-severity CVE in a third-party library; most of these are indirect dependencies. Additionally, many CI/CD pipelines use long-term credentials to access cloud environments, rather than short-lived tokens. This exposes organizations to additional risk if their CI/CD pipelines are compromised.
Thatâs all for this week! See you next ThursdayâŚ