Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

Critical GoCD Authentication Flaw Exposes Software Supply Chain

A highly-critical vulnerability in a popular open-source CI/CD solution can be exploited to hijack sensitive secrets for downstream supply chain attacks, according to a warning from SonarSource.

A highly-critical vulnerability in a popular open-source CI/CD solution can be exploited to hijack sensitive secrets for downstream supply chain attacks, according to a warning from SonarSource.

The vulnerability was flagged in GoCD, a CI/CD server product used in many parts of Silicon Valley, and can be exploited by unauthenticated attackers to siphon highly sensitive information from a vulnerable GoCD Server instance, including all encrypted secrets stored on the server.

“The vulnerability can be used to impersonate a GoCD Agent, i.e. GoCD worker, and take over software delivery pipelines. [It can be] used to take over a GoCD server and execute arbitrary code on it,” according to an advisory from SonarSoure.

SonarSource researcher Simon Scannell explained that an unauthenticated attacker can extract all tokens and secrets used in all build pipelines.

“For instance, attackers could leak API keys to external services such as Docker Hub and GitHub, steal private source code, get access to production environments, and overwrite files that are being produced as part of the build processes, leading to supply-chain attacks,” Scannell added.

[ READ: CodeCov Kills Off Bash Uploader Blamed for Supply Chain Hack ]

SonarSource warned that all GoCD instances within the version range v20.6.0 through v21.2.0 are affected . 

The maintainers of the open-source GoCD fixed the vulnerability in version v21.3.0.

Scannell notes that the vulnerabilities work on default configurations and can be triggered even if authentication mechanisms are deployed for a GoCD server instance. 

“We highly recommend applying the available patches as quickly as possible. Although it is best practice to host CI/CD instances on an internal network, we observed hundreds of instances exposed to the internet,” Scannell added.

Related: Codecov Bash Uploader Dev Tool Compromised in Supply Chain Attack

Related: CodeCov Kills Off Bash Uploader Blamed for Supply Chain Hack

Related: Google Intros SLSA Framework to Enforce Supply Chain Integrity


Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.

Cyberwarfare

Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Nation-State

The North Korean APT tracked as TA444 is either moonlighting from its previous primary purpose, expanding its attack repertoire, or is being impersonated by...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.