GoCD Unauthenticated Takeover
On October 27, an engineer at SonarSource found that a change made in 2018 to the GoCD Continuous Integration system code completely removed the authentication logic for incoming requests destined to the service’s addon’s directory. It also seems that several addons, which are installed and enabled by default, had some bugs of their own. Combined with the removed authentication logic, it could allow an attacker to pull off a remote code execution (RCE) with little to no skill.
What is the Issue?
Censys found that 458 hosts were running 592 internet-facing GoCD services using this simple Censys search. Below is a breakdown of GoCD versions that Censys was able to find running on the public internet. Vulnerable versions are marked in red.
These types of systems are used in software engineering to monitor and automatically build and test software. These build systems compile, test, run, and, in some cases, deploy software for production use. Because of this, the server software running these pipelines also has full access to a company’s code and development environments where a bad actor could start introducing malicious code into the build cycle. This attack method is often referred to as a “Supply Chain Attack,” where attackers target automated systems critical to a company’s operation; it doesn’t get any more dangerous than a weak link in that chain having source-level access (and the ability to manipulate a build) to a codebase.
Why does it matter?
Many critical components of an organization hinge on the build processes of software development teams. Weaknesses in such areas can result in a domino effect of compromised devices and services where any component built on a CI system could potentially be infected with malicious code.
Because the attack described by SonarSource is exceptionally trivial to execute, administrators should upgrade installations of this service immediately. Currently, there are three known exploitable paths, all sourced from an addon called “Business Continuity”:
|Has a user-controllable argument called “pluginName”, which does not correctly sanitize the input, allowing an attacker to read any file on the system. (Screenshot of the attack above).|
|Will allow an attacker to retrieve the entire configuration file for the GoCD service, including any associated environment variables used during startup. One of the more dangerous configuration elements that an attacker can find within this file is the `agentAutoRegisterKey`, which is used to stage new GoCD build agents (potentially injecting malicious elements into the final build) without any authentication.|
|Will allow the attacker to download the private encryption key used to encrypt sensitive data on the host (like access tokens and passwords returned from the cruise_config endpoint)|