Vulnerability in software used by Fortune 500 firms raises fears of SolarWinds-like impact

UPDATED A critical vulnerability in popular CI/CD tool GoCD could allow unauthenticated attackers to extract encrypted secrets and poison software build processes – potentially paving the way to supply chain attacks.

The maintainers of the open source, Java-built platform have addressed the arbitrary file read flaw along with several other bugs discovered by Swiss security firm SonarSource.

Miscreants who abuse the vulnerability could take over GoCD servers and execute arbitrary code, as well as impersonate GoCD agents and seize control of software delivery pipelines.

The vulnerability was sufficiently serious to prompt the US Cybersecurity and Infrastructure Security Agency (CISA) to issue a warning urging users to update their systems or apply workarounds.

SolarWinds-style threat

“Attackers could leak API keys to external services such as Docker Hub and GitHub, steal private source code, get access to production environments, and overwrite files that are being produced as part of the build processes,” said SonarSource security researcher Simon Scannell in a blog post.

The flaw, he added, could serve as a springboard for attacks of a similar nature to the SolarWinds hack, “where attackers gained access to the software delivery pipeline and added a backdoor to critical software, leading to one of the most impactful supply-chain attacks thus far”.


Catch up with the latest software supply chain attack news and analysis


The lack of public data on how widely GoCD is used makes it hard to gauge the impact of a hypothetical supply chain attack, Scannell tells The Daily Swig, “but we know that it is used by Fortune 500 companies”.

He adds: “An attacker who has compromised a CI/CD pipeline can push malicious code into anything the pipeline produces – for example Docker images, JAR files, executables, libraries, etc.

“The malicious code would then impact anyone who uses and trusts the produced software.”

Broken authentication

The researchers unearthed the vulnerability after discovering a breaking change made in August 2018 that removed support for OAuth and made endpoints exposed by add-ons responsible for enforcing authentication. “Prior to this commit, these endpoints were accessible to authenticated users only,” said Scannell.


YOU MAY ALSO LIKE NPM package UA-Parser-JS poisoned with cryptomining, password-stealing malware


The issue was ushered into existence by the introduction in 2020 of Business Continuity, an add-on designed to mitigate the impact of a GoCD server failure or that of its database node.

This add-on has been removed from the latest version, but Scannell says he is unsure how the wider breaking change “will be addressed in the long-term”.

Timeline and patches

All GoCD instances running versions between v20.6.0 and v21.2.0 are affected by the flaw.

GoCD’s security team were alerted to the vulnerabilities on October 18 through the tool’s vulnerability disclosure program on HackerOne. The issues were subsequently addressed in version v21.3.0, which landed on Tuesday (October 26).

“If no update can be run immediately, we recommend setting up firewall rules to prevent any HTTP requests to the /add-on/** and/or /add-on/business-continuity/** endpoints,” said Scannell.

The researcher also warned that SonarSource had found “hundreds of instances exposed to the internet” in violation of best practices.

“We would like to thank the GoCD security team who have been exceptionally responsive in the disclosure process,” added Scannell.

SonarSource says a forthcoming, follow-up blog post will detail a cross-site scripting (XSS) vulnerability and remote code execution (RCE) bug chain in GoCD.


This article was updated on November 1 with a reference to a threat alert issued by CISA.


DON’T FORGET TO READ Discourse fixes critical validation-related vulnerability in forum software