Jump to content
  • Critical flaw in GoCD provides platform for supply chain attacks

    aum

    • 545 views
    • 3 minutes
     Share


    • 545 views
    • 3 minutes

    Vulnerability in software used by Fortune 500 firms raises fears of SolarWinds-like impact

     

    A critical vulnerability in popular CI/CD tool GoCD could allow unauthenticated attackers to extract encrypted secrets and poison software build processes – potentially paving the way to supply chain attacks.

     

    The maintainers of the open source, Java-built platform have addressed the arbitrary file read flaw along with several other bugs discovered by Swiss security firm SonarSource.

     

    Miscreants who abuse the vulnerability could take over GoCD servers and execute arbitrary code, as well as impersonate GoCD agents and seize control of software delivery pipelines.

     

    SolarWinds-style threat


    “Attackers could leak API keys to external services such as Docker Hub and GitHub, steal private source code, get access to production environments, and overwrite files that are being produced as part of the build processes,” said SonarSource security researcher Simon Scannell in a blog post.

     

    The flaw, he added, could serve as a springboard for attacks of a similar nature to the SolarWinds hack, “where attackers gained access to the software delivery pipeline and added a backdoor to critical software, leading to one of the most impactful supply-chain attacks thus far”.

     

    The lack of public data on how widely GoCD is used makes it hard to gauge the impact of a hypothetical supply chain attack, Scannell tells The Daily Swig, “but we know that it is used by Fortune 500 companies”.

     

    He adds: “An attacker who has compromised a CI/CD pipeline can push malicious code into anything the pipeline produces – for example Docker images, JAR files, executables, libraries, etc.

     

    “The malicious code would then impact anyone who uses and trusts the produced software.”

     

    Broken authentication


    The researchers unearthed the vulnerability after discovering a breaking change made in August 2018 that removed support for OAuth and made endpoints exposed by add-ons responsible for enforcing authentication. “Prior to this commit, these endpoints were accessible to authenticated users only,” said Scannell.

     

    The issue was ushered into existence by the introduction in 2020 of Business Continuity, an add-on designed to mitigate the impact of a GoCD server failure or that of its database node.

     

    This add-on has been removed from the latest version, but Scannell says he is unsure how the wider breaking change “will be addressed in the long-term”.

     

    Timeline and patches


    All GoCD instances running versions between v20.6.0 and v21.2.0 are affected by the flaw.

     

    GoCD’s security team were alerted to the vulnerabilities on October 18 through the tool’s vulnerability disclosure program on HackerOne. The issues were subsequently addressed in version v21.3.0, which landed on Tuesday (October 26).

     

    “If no update can be run immediately, we recommend setting up firewall rules to prevent any HTTP requests to the /add-on/** and/or /add-on/business-continuity/** endpoints,” said Scannell.

     

    The researcher also warned that SonarSource had found “hundreds of instances exposed to the internet” in violation of best practices.

     

    “We would like to thank the GoCD security team who have been exceptionally responsive in the disclosure process,” added Scannell.

     

    SonarSource says a forthcoming, follow-up blog post will detail a cross-site scripting (XSS) vulnerability and remote code execution (RCE) bug chain in GoCD.

     

    Source


    User Feedback

    Recommended Comments

    There are no comments to display.



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...