Fetch exploit - Attacks against source code downloaders

Supply-chain attacks have come to the fore recently, with more and more companies moving towards DevOps. This talk demonstrates attacks against the software used to manage and download source code and how this affects the whole software supply-chain and DevOps pipeline.

In this talk I’ll be demonstrating attacks against the software used to retrieve source code and software packages. The talk starts by examining CVE-2018-11235 a vulnerability in git and how this could lead to code-execution. From here we look into the surprising number of places, such as Docker, Kubernetes, npm, and the golang package manager, where this vulnerability could be exploited by an attacker. From here we progress into vulnerabilities in the package/source-code managers for various languages. I will demonstrate a vulnerability in go get that leads to RCE (CVE-2018-16873). Other security issues in source-code/package managers will also be examined. The talk will further examine possible defences against these type of attacks and how the DevOps pipeline can be hardened to prevent these issues from being exploitable.