{"id":24881,"date":"2022-08-15T20:58:19","date_gmt":"2022-08-15T20:58:19","guid":{"rendered":"https:\/\/www.esecurityplanet.com\/?p=24881"},"modified":"2022-08-15T20:58:21","modified_gmt":"2022-08-15T20:58:21","slug":"ci-cd-pipeline-software-supply-chain-risk","status":"publish","type":"post","link":"https:\/\/www.esecurityplanet.com\/applications\/ci-cd-pipeline-software-supply-chain-risk\/","title":{"rendered":"CI\/CD Pipeline is Major Software Supply Chain Risk: Black Hat Researchers"},"content":{"rendered":"\n

Continuous integration and development (CI\/CD) pipelines are the most dangerous potential attack surface of the software supply chain<\/a>, according to NCC researchers.<\/p>\n\n\n\n

The presentation<\/a> at last week’s Black Hat security conference by NCC’s Iain Smart and Viktor Gazdag, titled “RCE-as-a-Service: Lessons Learned from 5 Years of Real-World CI\/CD Pipeline Compromise,” builds on previous work<\/a> NCC researchers have done on compromised CI\/CD pipelines.<\/p>\n\n\n\n

A CI\/CD pipeline is fundamentally remote code execution (RCE), and there are many paths to compromise it regardless of a company’s size.<\/p>\n\n\n\n

Because organizations trust their pipelines too much, compromising these channels is usually a good path for hackers, as they would likely gain unauthorized access to critical data and even elevate their privileges to perform further attacks.<\/p>\n\n\n\n

See the Best Third-Party Risk Management (TPRM) Tools<\/a><\/p>\n\n\n\n

CI\/CD Approaches Create Risk<\/strong><\/h2>\n\n\n\n

CI stands for \u201ccontinuous integration\u201d and CD means \u201ccontinuous delivery.\u201d The combination of the two practices allows for automating and monitoring development throughout the entire lifecycle.<\/p>\n\n\n\n

Continuous integration means developers can automate processes when code changes. Typically, scripts will run when a modification is merged into specific branches of the project to test, build, and deploy the code.<\/p>\n\n\n\n

The idea is to reduce the efforts needed to deploy new code across all environments, which not only impacts developers but also business teams. As enhanced deployment is part of the Twelve-factor app<\/a>, a set of principles that drive modern SaaS apps, approaches such as CI\/CD are supposed to make the process less risky.<\/p>\n\n\n\n

The Jenkins<\/a> open source automation server, for example, is one the most popular solutions on the market. Many companies, including major ones, use it to handle DevOps operations. During their tests, the researchers managed to compromise Jenkins environments in various ways, leveraging misconfiguration in S3 Buckets or in the environment itself.<\/p>\n\n\n\n

Indeed, organizations use third-party solutions like Jenkins to speed up their processes, but too permissive configurations ultimately lead to privilege escalation.<\/p>\n\n\n\n

Also read: How Hackers Compromise the Software Supply Chain<\/a><\/p>\n\n\n\n

Third-party Solutions Make CI\/CD Pipelines Vulnerable<\/strong><\/h2>\n\n\n\n

Researchers found attack paths in popular platforms that provide advanced CI\/CD functionalities, such as GitLab<\/a>. They took advantage of sensitive features in GitLab Runners to escalate privileges and grab secrets.<\/p>\n\n\n\n

Again, configurations that are too permissive allow any user with rights to commit code to access passwords and secrets, for example, when the data is stored in plain text in environment variables.<\/p>\n\n\n\n

Researchers also exploited privileged processes and containers (e.g., in Docker and Kubernetes) that run, for example, as root, while some solutions support rootless build.<\/p>\n\n\n\n

These attacks may look quite classic, and robust configuration would not allow such escalations, but in reality, many organizations have poor practices and choose convenience over security. Some teams might not even know there are additional security settings or find them incompatible with deadlines.<\/p>\n\n\n\n

Researchers reported interesting results in their 10 scenarios. The final one consisted of pretending <\/em>\u201cyou have compromised a developer\u2019s laptop.\u201d After chaining some exploits, they managed to access the Jenkins master node and dump all variables, which ultimately gave them full access to the production environment, as the deployment pipeline was given too many permissions.<\/p>\n\n\n\n

Also read: New Open-source Security Initiative Aimed at Supply Chain Attacks<\/a><\/p>\n\n\n\n

How to Secure your CI\/CD Pipeline<\/strong><\/h2>\n\n\n\n

CI\/CD pipelines are critical environments hackers will attack if given a chance. Because of their complexity and the time needed to configure them properly, many teams give full permissions to third-party tools that are not supposed to get so many rights.<\/p>\n\n\n\n

Here are some practical security steps:<\/p>\n\n\n\n