Saturday , February 1 2025
graph

Researcher to exploit CI / CD pipelines gaining full server access

The CTO of Razz Security, Mukesh, recently exploited CI/CD pipelines to gain full server access which has its origins in the presence of an exposed .git directory on a publicly available web server. For this flaw, anyone could read and download the entire version control.

It is examined that, this particular configuration file contained sensitive user credentials, and as a result of this, it dramatically escalates the exploit chain further. Bad actor can potentially use these credentials to perform a full server takeover cloning the entire Git repository.

Indian tech giant Tata Tech hit by ransomware attack

Tata Technologies reported a ransomware incident affecting some IT services, but it did not disrupt client deliveries, according to a...
Read More
Indian tech giant Tata Tech hit by ransomware attack

Vulnarabilitties found in Cisco webex and VMware Aria operation

A serious cybersecurity flaw in Cisco Webex Chat has been discovered, allowing unauthorized attackers to access the chat histories of...
Read More
Vulnarabilitties found in Cisco webex and VMware Aria operation

Microsoft to boost M365 bounty program rewards Up to $27,000

Microsoft has announced a major expansion of its Microsoft 365 Bounty Program. The program now covers new Viva products for...
Read More
Microsoft to boost M365 bounty program rewards Up to $27,000

DeepSeek reveils over 1 million chat records; Italy Bans DeepSeek

Chinese AI startup DeepSeek has exposed two databases with sensitive user and operational information from its DeepSeek-R1 LLM model. Unsecured...
Read More
DeepSeek reveils over 1 million chat records; Italy Bans DeepSeek

Microsoft brings DeepSeeK to Azure AI Foundry and GitHub

Microsoft has added DeepSeek’s R1 AI model to its Azure AI Foundry platform and GitHub. This lets customers easily integrate...
Read More
Microsoft brings DeepSeeK to Azure AI Foundry and GitHub

Hackers leverage Google’s subdomains, phone number to attack victims

Scammers called a victim using Google's official support number and sent an email from an official subdomain. It's unclear how...
Read More
Hackers leverage Google’s subdomains, phone number to attack victims

DeepSeek Sensitive data exposed To Web: Wiz report

New York-based cybersecurity firm Wiz has discovered sensitive data from the Chinese AI startup DeepSeek that was accidentally exposed on...
Read More
DeepSeek Sensitive data exposed To Web: Wiz report

“FirePass” starts its operation in Bangladesh officially

FirePass, a fire prevention and suppression system is officially started its operation in Bangladesh. Smart Data brings the world class...
Read More
“FirePass” starts its operation in Bangladesh officially

PoC Exploit Released for TP-Link Router XSS Vuln

A newly found XSS vulnerability, CVE-2024-57514, in the TP-Link Archer A20 v3 Router has raised security concerns for users. CVE-2024-57514 is...
Read More
PoC Exploit Released for TP-Link Router XSS Vuln

CVE-2024-40891
Zyxel CPE Zero-Day Exploited in the Wild

Security researchers have alerted about ongoing exploitation attempts of a newly found zero-day command injection vulnerability in Zyxel CPE Series...
Read More
CVE-2024-40891  Zyxel CPE Zero-Day Exploited in the Wild

This allows an attacker to take full control of source code, it highlights the importance of properly securing version control systems in web environments. Razz security report reads, To gain unauthorized access to a production server an attacker exploited Bitbucket Pipelines, reads .

While discovering the pipeline configuration file threat actor modified it to include their own SSH (Secure Shell) public key in the server’s authorized_keys file.

The altered pipeline script used the atlassian/ssh-run:0.2.8 pipe to execute commands on the target server (damn.vulnerable.site) as the ‘ubuntu’ user.

This modification allowed the attacker to add their key using the command: “echo ssh-rsa AAAA…snip…sw== >> /home/ubuntu/.ssh/authorized_keys”.

The next pipeline run is triggered by a code push to the master branch, such types of changes allows the attacker to gain SSH access to the server.

With this foothold, bad actor took shell access and full control over the compromised server, while this includes the ability to execute arbitrary commands.

Moreover, they noted a potential privilege escalation vulnerability, and this flaw could lead to root access, further expanding their control over the system.

This exploit chain highlights the dangers of exposing sensitive directories, like the .git folder, to the public and abusing CI/CD pipelines.

Mitigations
Here below we have mentioned all the mitigations:-

Make sure to regularly monitor and review SSH key access.
Remove outdated or unnecessary SSH keys.
Block public access to your .git directory.

Check Also

Apple

Apple fixed year’s first actively exploited zero-day flaw

Apple has issued security updates to address a zero-day flaw affecting iPhone users that is …

Leave a Reply

Your email address will not be published. Required fields are marked *