GoCD bug chain provides second springboard to supply chain attacks
11 November 2021 at 16:38 UTC
Updated: 11 November 2021 at 16:39 UTC
Follow-up to recent GoCD disclosure provides additional path to infiltrating build environments
The maintainers of GoCD, a widely used, open source tool that automates the continuous delivery (CD) of software, have addressed three vulnerabilities that, if chained, could lead to the underlying server being taken over.
The security flaws – comprising CVE-2021-43288, CVE-2021-43286, and CVE-2021-43289 – were discovered by Simon Scannell and Thomas Chauchefoin of SonarSource.
“An attacker who successfully exploits these vulnerabilities can leak intellectual property, modify source code, gain access to production environments, and backdoor any software that the CI/CD server produces,” Scannell and Chauchefoin tell The Daily Swig.
“As a result, attackers could launch supply chain attacks.”
PoC scripts circulating
They add: “This finding can be mass-exploited and does not require any knowledge of the targeted instance; we are aware of researchers who published proof-of-concept scripts for it.”
As previously covered by The Daily Swig, the disclosure follows SonarSource’s recent detailing of an arbitrary file read flaw, CVE-2021-43287, in the same platform.
“This new attack surface led to the discovery of three additional vulnerabilities and the ability to execute arbitrary code on the server,” Scannell and Chauchefoin say.
The first of the additional vulnerabilities is a stored cross-site scripting (XSS) bug that allows attackers to impersonate administrators visiting a malicious job status page, allowing security-sensitive actions to be secretly performed.
The following two could then be chained with the first to fully compromise the targeted instance.
‘Straightforward to exploit’
“The next steps of the chain are also straightforward to exploit in real-life scenarios, even if user interaction is required to exploit CVE-2021-43288,” the researchers say.
“Threat actors could simply force jobs to fail to incite administrators to go on the GoCD interface, triggering the stored [XSS] payload. After that, RCE is only two bugs away.”
Exploiting these flaws could allow attackers to leak API keys to external services such as Docker Hub and GitHub, steal private source code, get access to production environments, and overwrite files being produced as part of the build process – potentially leading to supply-chain attacks.
Go patch your systems
SonarSource reported the vulnerabilities to the GoCD team between October 18 and 21, and patches were pushed via GitHub on October 23. A new version, v21.3.0, was released on October 26, patching all four vulnerabilities.
“GoCD’s security team was exceptionally helpful in the disclosure process. We reported our findings over their vulnerability disclosure program on HackerOne, and they involved us in the investigation for the root cause and used our feedback to patch the vulnerabilities as fast as possible,” Scannell and Chauchefoin say.
GoCD has flagged the upcoming security release on its public forum, and says it will warn users via its mailing list.
Add Scannell and Chauchefoin: “We can expect to see automated exploitation of these vulnerabilities in the wild – do not forget to upgrade your instances to GoCD 21.3.0!”