Security Experts:

Critical GoCD Authentication Flaw Exposes Software Supply Chain

A highly-critical vulnerability in a popular open-source CI/CD solution can be exploited to hijack sensitive secrets for downstream supply chain attacks, according to a warning from SonarSource.

The vulnerability was flagged in GoCD, a CI/CD server product used in many parts of Silicon Valley, and can be exploited by unauthenticated attackers to siphon highly sensitive information from a vulnerable GoCD Server instance, including all encrypted secrets stored on the server.

"The vulnerability can be used to impersonate a GoCD Agent, i.e. GoCD worker, and take over software delivery pipelines. [It can be] used to take over a GoCD server and execute arbitrary code on it," according to an advisory from SonarSoure.

SonarSource researcher Simon Scannell explained that an unauthenticated attacker can extract all tokens and secrets used in all build pipelines.

“For instance, attackers could leak API keys to external services such as Docker Hub and GitHub, steal private source code, get access to production environments, and overwrite files that are being produced as part of the build processes, leading to supply-chain attacks,” Scannell added.

[ READ: CodeCov Kills Off Bash Uploader Blamed for Supply Chain Hack ]

SonarSource warned that all GoCD instances within the version range v20.6.0 through v21.2.0 are affected . 

The maintainers of the open-source GoCD fixed the vulnerability in version v21.3.0.

Scannell notes that the vulnerabilities work on default configurations and can be triggered even if authentication mechanisms are deployed for a GoCD server instance. 

"We highly recommend applying the available patches as quickly as possible. Although it is best practice to host CI/CD instances on an internal network, we observed hundreds of instances exposed to the internet," Scannell added.

Related: Codecov Bash Uploader Dev Tool Compromised in Supply Chain Attack

Related: CodeCov Kills Off Bash Uploader Blamed for Supply Chain Hack

Related: Google Intros SLSA Framework to Enforce Supply Chain Integrity

view counter
Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. Ryan is a veteran cybersecurity strategist who has built security engagement programs at major global brands, including Intel Corp., Bishop Fox and Kaspersky GReAT. He is a co-founder of Threatpost and the global SAS conference series. Ryan's past career as a security journalist included bylines at major technology publications including Ziff Davis eWEEK, CBS Interactive's ZDNet, PCMag and PC World. Ryan is a director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world. Follow Ryan on Twitter @ryanaraine.