CICD security: A new eldorado

Presented at DEF CON 30 (2022), Aug. 12, 2022, 9 a.m. (240 minutes)

CI/CD pipelines are increasingly becoming part of the standard infrastructure within dev teams and with the rise of solutions such as Infrastructure as Code, the sensitivity level of such pipelines is escalating. In case of compromise, it is not just the applications that are at risk but the underlying systems themselves and sometimes the whole information systems. Attackers are beginning to exploit those weaknesses both for supply chains attacks but also to escalate their privileges within the victim IS. Welcome to DataLeek company, after several decades of V-cycle development we have now decided to adopt the "agile" methodology. To do so, our IT teams have set up a CI/CD pipeline that rely on the most advanced and state-of-the-art tools available on the market. However, for some reasons, our CISO seems to doubt the security level of this brand new infrastructure and insist to perform a pentest on it. Your mission, should you choose to accept it, is to evaluate the security level of this CI/CD pipeline and offer solutions to fix the issues identified. In this fully hands-on workshop, we’ll guide you through multiple vulnerabilities that we witnessed during numerous penetration tests. You’ll learn how to: - Get a foothold within a CI/CD pipeline - Find interesting secrets and other information within code repositories - How to pivot and exploit weak configuration on the orchestrator - Compromise building nodes in order to add backdoors to artifacts - Pivot on cloud infrastructure - Escape Kubernetes thanks to common misconfiguration - Perform a privilege escalation in AWS Hand-on exercises will be performed on our lab environment with a wide variety of tools. For each attack, we will also focus on prevention, mitigation techniques and potential way to detect exploitations. Materials: All attendees will need to bring a laptop capable of running virtual machines (8GB of RAM is a minimum) and an up-to-date RDP client. Prereq: This training is aimed at security professionals or developers willing to understand the risks of a poorly secured CI/CD pipeline.

Presenters:

• Gauthier Sebaux - Penetration Tester
  Gauthier Sebaux has been performing penetration tests in Wavestone for years for a large number of clients. His passion for cybersecurity started even before he was already exploiting buffer overflows and participating to CTF competitions when he was in high school. When he is not pentesting, he administrates his personal infrastructure and contributes to open-source projects. It provided him with deep knowledge on Linux environments, Linux container isolation and more recently Kubernetes. He brought back his expertise in his work and specialized in penetration testing of DevOps infrastructure.
• Xavier Gerondeau - Penetration Tester
  Xavier Gerondeau is an penetration tester in Wavestone. He once performed a tests on a CI/CD pipeline and rocked it. Because of this so-cool-ness, he became a DevOps expert in Wavestone and pwned every CI/CD pipeline he encountered during his missions. He's so talented that his clients now fear him!
• Remi Escourrou - Red Team Lead
  Rémi Escourrou (@remiescourrou) is leading the Red Team at Wavestone. Before moving to red team operation and exploiting CI/CD pipeline, he was involved in audits and pentests of large enterprise networks with emphasis on Active Directory. During his research time, he enjoys tackling technical problems to compromise its targets. He’s passionate about the security field and already teaches workshops at BSides Las Vegas, Brucon, BSides Lisbon.

Similar Presentations:

• AppSec USA 2017 / Practical DevOps Security and Exploitation (1 of 2 days)
• Black Hat USA 2022 / RCE-as-a-Service: Lessons Learned from 5 Years of Real-World CI/CD Pipeline Compromise
• AppSec USA 2017 / Practical DevOps Security and Exploitation (2 of 2 days)