Continuous integration tools can be the Achilles heel for a company's IT security

CI deployments are insecure in default configurations and allow the execution of commands on the underlying OS with system privileges

Some of the most popular automated software building and testing tools used by developers have not been designed with security in mind and can open the door for attackers to compromise enterprise networks.

These so-called continuous integration (CI) tools allow developers to automatically create software builds when code changes are contributed by developers to a central repository. The creation of these builds, which are used for quality control, is coordinated by a CI master server based on predefined rules and done on CI slave machines.

If hackers manage to access a CI master server, they can steal proprietary source code, but also gain the ability to execute commands on all the machines that operate as CI slaves, security researcher and penetration tester Nikhil Mittal said Friday in a presentation at the Black Hat Europe security conference in Amsterdam. "This access could be used for lateral movement to get access to more machines."

In fact, Mittal said that he has never seen a penetration test so far where unauthorized access to a CI tool didn't result in administrative access to the whole network domain.

That's because most CI tools are insecure in their default configuration and certain user roles allow the execution of PowerShell commands and scripts with system privileges. Chances are high that the token for a domain administrator can be found in a process running on one of the CI slave machines.

Mittal tested three open-source CI tools called Jenkins, CruiseControl and Go and two proprietary ones called TeamCity and Hudson. He found default insecure configurations and exploitable features in all of them.

He demonstrated several attacks that could result in command execution on underlying machines, the opening of reverse shells and the theft of sensitive data like database and Git credentials, SSH keys and more.

The researcher found many instances of CI server deployments that are directly accessible from the Internet and do not even require authentication.

Out of the top ten software development companies in the world, at least 5 had such services exposed, he said.

As common problems across all tested CI tools, Mittal found: minimal security in default configurations, missing security controls like brute-force protection, the ability to run commands and scripts on the OS by non-administrative users, the ability to remove all security measures if a build agent is running on the master server, insecure storage of credentials and SSH keys and unauthenticated remote access.

In order to protect these systems, the researcher recommended that no build executor should ever run on the master CI server, restricting the user privileges who can configure build steps, securing the admin dashboard, not exposing the CI tool to the Internet unless absolutely necessary, not providing read privileges to anonymous users and preventing users from using their usernames as passwords.

Join the CSO newsletter!

Error: Please check your email address.

Tags BLACK HAT EUROPE

More about HudsonSSH

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place