GoCD has released a security update to their critical authentication vulnerability discovered by SonarSource, a Swiss security firm. The popular (and free) open-source, Java-run Continuous Integration and Continuous Delivery System (CI/CD) is a broadly used piece of infrastructure, and its misuse has the potential for massive disruptions.
Unauthorized attackers could use this vulnerability to extract encrypted data, create backdoors in internal or external software, or impersonate a GoCD Agent. Attackers could also obtain control over both software delivery pipelines and GoCD servers and execute arbitrary code on them. Ultimately, this weakness has the potential for massive supply chain attacks.
The severity of GoCD’s vulnerability prompted the US Cybersecurity and Infrastructure Security Agency (CISA) to issue a warning encouraging “users and administrators to update to GoCD 21.3.0 or apply the necessary workarounds.”
Potential for another SolarWinds attack
SonarSource researcher Simon Scannell discusses this vulnerability in depth in a blog post “Agent 007: Pre-Auth Takeover of Build Pipelines in GoCD”.
Scannell writes “With so much trust and responsibility placed in CI/CD solutions, a compromise of any part of the software delivery pipeline would be detrimental to a company running GoCD.”
“For instance, attackers could leak API keys to external services such as Docker Hub and GitHub, steal private source code, get access to production environments, and overwrite files that are being produced as part of the build processes, leading to supply-chain attacks.”
This is reminiscent of the SolarWinds breach, where attackers gained access to a massive supply chain vendor with hundreds of thousands of customers, creating the most impactful supply-chain attack to date.
Authentication break change
GoCD was alerted to these vulnerabilities via their disclosure program on HackerOne.
SonarSource discovered several authentication vulnerabilities via add-ons that were not previously there. They found that an endpoint “breaking change could lead to add-ons being vulnerable to unauthenticated attacks”. Before this change, these endpoints were only accessible by authenticated users.
The endpoint weakness allowed attackers to “extract all secrets that are available to a GoCD server with two requests: one for stealing the encryption key and one for obtaining all the encrypted secrets.”
GoCD’s Business Continuity add-on had a specific arbitrary File Read vulnerability, which was launched in 2020. Abusing this specific weakness results in a sensitive information leak.
Patching things up
Users running versions between v20.6.0 and v.21.2.0 are affected and should update immediately.
GoCD’s security team responded quickly and efficiently, releasing patches two days after the initial report. These are included in v21.3.0, which was released on Tuesday October 26.
Scannell suggests “If no update can be run immediately, we recommend setting up firewall rules to prevent any HTTP requests to the /add-on/** and/or /add-on/business-continuity/** endpoints.”
Blue Team Alpha also recommends looking for indicators of compromise associated with the GoCD that may have been implemented prior to patching of the application.