logo

RCE-as-a-Service: Lessons Learned from 5 Years of Real-World CI/CD Pipeline Compromise

Conference:  Black Hat USA 2022

2022-08-10

Summary

The presentation discusses the vulnerabilities in CI/CD pipelines and the importance of applying security principles to prevent attacks.
  • CI/CD pipelines are being adopted to speed up developers, but they also store credentials and dependencies that can be exploited by attackers
  • The speaker shares anecdotes of engagements where they were able to exploit vulnerabilities in CI/CD pipelines
  • The importance of applying security principles such as least privilege and network segmentation to prevent attacks is emphasized
The speaker shares a story of a customer who gave them developer access to their locked down pipeline, but they were able to modify the dependencies and insert a malicious payload that gave them a reverse shell

Abstract

In the past 5 years, we've demonstrated countless supply chain attacks in production CI/CD pipelines for virtually every company we've tested, with several dozen successful compromises of targets ranging from small businesses to Fortune 500 companies across almost every market and industry. In this presentation, we'll explain why CI/CD pipelines are the most dangerous potential attack surface of your software supply chain. To do this, we'll discuss the sorts of technologies we frequently encounter, how they're used, and why they are the most highly privileged and valuable targets in your company's entire infrastructure. We'll then discuss specific examples (with demos!) of novel abuses of intended functionality in automated pipelines which allow us to turn the build pipelines from a simple developer utility into Remote Code Execution-as-a-Service. Is code-signing leading your team into a false sense of security while you programmatically build someone else's malware? Is it true that "any sufficiently advanced attacker is indistinguishable from one of your developers"? Have we critically compromised nearly every CI/CD pipeline we've ever touched? The answer to all of these questions is yes. Fortunately, this presentation will not only teach you exactly how we did it and the common weaknesses we see in these environments, but also share key defensive takeaways that you can immediately apply to your own development environments.

Materials:

Tags: