CramHacks Chronicles #77: Weekly Cybersecurity Newsletter!

The Wiz Special:

GitHub Action supply chain attack: reviewdog/action-setup
Rami McCarthy investigates the root cause and intentions of the recently compromised tj-actions/changed-files GitHub Action. Reporting that the malicious actor was targeting Coinbase and that the tj-actions[bot] PAT token was compromised after poisoning the reviewdog/action-setup GitHub Action—an action used by tj-actions/eslint-changed-files and would have access to the tj-actions[bot] PAT token.

IngressNightmare: Unauthenticated RCE Vulnerabilities in Ingress NGINX
WIZ researchers disclosed a vulnerability in the Ingress NGINX Controller that enables network users to inject an arbitrary NGINX configuration by sending a malicious ingress object to the admission controller.

“To be clear, gaining initial access to a cluster's pod network is not as difficult as one might think - containerization on its own is not a strong security boundary, and many applications running on K8s are susceptible to container escape” -WIZ

WIZ Vulnerability Database
The WIZ team has launched a vulnerability database that aggregates vulnerability data from many sources. Reports generated using AI and metadata, such as “Has Public Exploit?” seem questionable, to say the least.

💩 The vulnerability database is untrustworthy, and if I had that influence, I would probably shut it down. Someone clearly doesn’t understand the EPSS model, and the technology assignments are wildly inaccurate. I haven’t even bothered to look at the more specific details.

But I like the “High Profile” section—the ones I’ve read were clearly written/reviewed by a knowledgeable human. Keep that, and partner with Google’s osv.dev for better-quality data.

Chainguard Assemble

This looked like a great event, and they released a lot of content yesterday. But Chainguard should’ve published a “Chainguard Assemble Event Overview” highlighting the newly launched products. There is an overview page, the first Google result, but no product information. Marketing miss!

📰 I have no insights on the effectiveness of either of these product launches, but the launch itself is lacking big time. IMO, Chainguard doesn’t seem to be excited about these, so why should I be? . . . However, I think Chainguard Libraries is a cool idea and should be straightforward for packages adhering to reproducibility standards. Not sure what the answer is for the vast majority that don’t.

Chainguard VMs
“Host containers on optimized, minimal, zero-CVE virtual machine images rebuilt from source daily for ephemeral cloud instances.”

Chainguard Libraries
“Consume libraries continuously built from source in Chainguard’s SLSA Level 2 build infrastructure, eliminating supply chain attacks at build and distribution phases of the package lifecycle.”