A CI/CD pipeline is a series of automated steps that helps software teams deliver code faster, safer, and more reliably.
It coordinates all the processes involved in continuous integration (CI) and continuous delivery (CD). The CTO of Razz Security, Mukesh, recently exploited CI/CD pipelines to gain full server access.
Researcher Exploited CI / CD Pipelines
A potentially dangerous security flaw has been identified, which has its origins in the presence of an exposed .git directory on a publicly available web server.
Due to this bug, one could read and download the entire version control, which encompassed even the files such as .git/config.
Upon examination, it’s been revealed that this particular configuration file contained sensitive user credentials, and as a result of this, it dramatically escalates the exploit chain further.
Decoding Compliance: What CISOs Need to Know – Join Free Webinar
Here, an attacker could potentially use these credentials to perform a full server takeover by cloning the entire Git repository.
As this enables them to gain access to source code, deployment scripts, and other critical system information. This security oversight highlights the importance of properly securing version control systems in web environments.
Since minor misconfigurations can also lead to severe consequences or security threats.To gain unauthorized access to a production server an attacker exploited Bitbucket Pipelines, reads Razz security report.
After discovering the pipeline configuration file, which automates code deployment, the attacker modified it to include their own SSH (Secure Shell) public key in the server’s authorized_keys file.
The altered pipeline script used the atlassian/ssh-run:0.2.8 pipe to execute commands on the target server (damn.vulnerable.site) as the ‘ubuntu’ user.
This modification allowed the attacker to add their key using the command: “echo ssh-rsa AAAA…snip…sw== >> /home/ubuntu/.ssh/authorized_keys”.
The next pipeline run is triggered by a code push to the master branch, and this change allows the attacker to gain SSH access to the server.
With this foothold, the attacker gained shell access and full control over the compromised server, while this includes the ability to execute arbitrary commands.
Moreover, they noted a potential privilege escalation vulnerability, and this flaw could lead to root access, further expanding their control over the system.
This exploit chain highlights the dangers of exposing sensitive directories, like the .git folder, to the public and abusing CI/CD pipelines.
Mitigations
Here below we have mentioned all the mitigations:-
- Make sure to regularly monitor and review SSH key access.
- Remove outdated or unnecessary SSH keys.
- Block public access to your .git directory.
Download Free Incident Response Plan Template for Your Security Team – Free Download