![]() Below I outline how the industry can be more proactive in discovering vulnerabilities before hackers do. This is a good thing, given how pervasive and complex modern software is. Back in 2018, I spoke about how there is increased awareness in the industry around security vulnerabilities, the consequences, and the need to do better. It is entirely possible for software to have recent or undisclosed vulnerabilities without fixes that could potentially be exploited in devastating ways. Any versions of TeamCity in use without the fix would be vulnerable to exploitation. In 2019, TeamCity also had a vulnerability patched where insecure Java deserialization could potentially allow remote code execution. In this example, the crypto-operator exploited a vulnerability in the Jenkins Java deserialization implementation. This was the case in 2018 when hackers exploited unpatched Jenkins servers to make $3 million in cryptocurrency mining. Īnother issue plaguing software – all software, not just CI/CD tools – is that even after vulnerabilities are found and patched users may still be running out-of-date and vulnerable options. And let’s be clear it is not just CI/CD tools, plenty of software is vulnerable to being badly configured and insecure such as Amazon S3 buckets. There is a reasonable amount of knowledge and security awareness needed to set up tools in such a way that they are secure. We sometimes talk about CI/CD systems being sharp knives which if not handled properly can cut the user. Configuration of a system can leave it vulnerable, at the most simplistic level it is like creating the login account to be ‘admin’ with password ‘admin’. Jetbrains point to misconfiguration as one possibility. Misconfigured or Badly Configured Software For now, the question we need to ask ourselves is how conceivable is it that a CI/CD tool could be implicated in such a hack? ![]() It remains to be seen the role TeamCity, a closed source CI/CD tool, plays in this intrusion and if so what the nature of the exploitation was. If TeamCity has somehow been used in this process, it could very well be due to misconfiguration, and not a specific vulnerability.” “It’s important to stress that TeamCity is a complex product that requires proper configuration. ![]() JetBrains the company behind TeamCity provided a response to correctly distance themselves from the attack and follow up by commenting on TeamCity’s potential role in the attack: Because TeamCity is so widely deployed, experts said, it is imperative to determine whether its software contains a vulnerability, or if attackers exploited TeamCity customers via stolen passwords or gaps in unpatched, outdated software.” ![]() By compromising TeamCity, or exploiting gaps in how customers use the tool, cybersecurity experts say the Russian hackers could have inconspicuously planted back doors in an untold number of JetBrains’ clients. “The exact software that investigators are examining is a JetBrains product called TeamCity, which allows developers to test and exchange software code before its release. Yesterday the New York Times ran a story stating that TeamCity, a CI/CD tool from JetBrains, was implicated in the US hacking of 10 federal agencies that in turn affected 250+ organization networks.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |