A highly-critical vulnerability in a popular open-source CI/CD solution can be exploited to hijack sensitive secrets for downstream supply chain attacks, according to a warning from SonarSource.
The vulnerability was flagged in GoCD, a CI/CD server product used in many parts of Silicon Valley, and can be exploited by unauthenticated attackers to siphon highly sensitive information from a vulnerable GoCD Server instance, including all encrypted secrets stored on the server.
“The vulnerability can be used to impersonate a GoCD Agent, i.e. GoCD worker, and take over software delivery pipelines. [It can be] used to take over a GoCD server and execute arbitrary code on it,” according to an advisory from SonarSoure.
SonarSource researcher Simon Scannell explained that an unauthenticated attacker can extract all tokens and secrets used in all build pipelines.
“For instance, attackers could leak API keys to external services such as Docker Hub and GitHub, steal private source code, get access to production environments, and overwrite files that are being produced as part of the build processes, leading to supply-chain attacks,” Scannell added.
[ READ: CodeCov Kills Off Bash Uploader Blamed for Supply Chain Hack ]
SonarSource warned that all GoCD instances within the version range v20.6.0 through v21.2.0 are affected .
The maintainers of the open-source GoCD fixed the vulnerability in version v21.3.0.
Scannell notes that the vulnerabilities work on default configurations and can be triggered even if authentication mechanisms are deployed for a GoCD server instance.
“We highly recommend applying the available patches as quickly as possible. Although it is best practice to host CI/CD instances on an internal network, we observed hundreds of instances exposed to the internet,” Scannell added.
Related: Codecov Bash Uploader Dev Tool Compromised in Supply Chain Attack
Related: CodeCov Kills Off Bash Uploader Blamed for Supply Chain Hack
Related: Google Intros SLSA Framework to Enforce Supply Chain Integrity
Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.
More from Ryan Naraine
- Chinese Gov Hackers Caught Hiding in Cisco Router Firmware
- CISA Unveils New HBOM Framework to Track Hardware Components
- Gem Security Lands $23 Million Series A Funding
- New ‘Sandman’ APT Group Hitting Telcos With Rare LuaJIT Malware
- CrowdStrike to Acquire Application Intelligence Startup Bionic
- HiddenLayer Raises Hefty $50M Round for AI Security Tech
- Microsoft AI Researchers Expose 38TB of Data, Including Keys, Passwords and Internal Messages
- Extradited Russian Hacker Behind ‘NLBrute’ Malware Pleads Guilty
Latest News
- Chinese Gov Hackers Caught Hiding in Cisco Router Firmware
- CISA Unveils New HBOM Framework to Track Hardware Components
- Gem Security Lands $23 Million Series A Funding
- Misconfigured TeslaMate Instances Put Tesla Car Owners at Risk
- Firefox 118 Patches High-Severity Vulnerabilities
- Stolen GitHub Credentials Used to Push Fake Dependabot Commits
- Google Open Sources Binary File Comparison Tool BinDiff
- macOS 14 Sonoma Patches 60 Vulnerabilities
