Scenario Default Password Critical Impacts - mccright/FCCSCybersecurityInput GitHub Wiki

Scenario #2 - Default Password - CI/CD Pipeline Infrastructure

FGFG development teams depend on a small group of infrastructure specialists to install and maintain the systems supporting all aspects of their software development lifecycle (SDLC) including their CI/CD pipeline.

The infrastructure specialists are a group of individuals with varying backgrounds and levels of experience. Individuals tend to cycle into and out of these positions -- largely because of the uncertainty of being on-call, and the regularly-scheduled nighttime and weekend hours required to build and maintain systems accessed by large numbers of users.

FGFG development uses SonarQube to help automatically evaluate the quality of their software. They also use it as evidence of their quality measurement practices during internal and external audits -- including regulatory audits.

It is an excellent, widely used platform.
SonarQube:
SonarQube

And with a little neglect, it can become a serious platform.

It was a Friday, the last day of work for a disgruntled computer engineer - Tony. He tried logging in as the SonarQube system administrator.
An inexperienced member of the infrastructure staff had installed the most recent Sonar upgrade.
Unfortunately, they did not change the default administrator password.
Tony was familiar with the Google and quickly found and then tried the default password for the Sonar admin. It worked. He was then logged in as the system administrator.

SonarQube Login:
SonarQube Login
SonarQube Login Success!:
SonarQube Login Success!

Rich Information about Application Flaws:
Rich Information about Application Flaws

SonarQube Configuration:
SonarQube Configuration

Change the SonarQube Group Memberships:
SonarQube Group Memberships

SonarQube Configuration - Change-Permissions:
SonarQube Configuration Change-Permissions

SonarQube Configuration - Acquire Direct MySQL DB Access:
SonarQube Configuration Acquire Direct MySQL DB Access

We see that this platform includes assessment data for more than 8,500 applications. It is a valuable and essential compliance platform.

Using his newfound access, Tony set the "Delete all analyses after" value to 1. This setting will cause all but the most recent of existing analyses to be deleted...

Using the screen images, what other attack vectors do you see?
For each idea, what might be a likely expected negative outcome?