Jenkins is the most popular open source automation server, it is maintained by CloudBees and the Jenkins community.
The automation server supports developers build, test and deploy their applications, it has hundreds of thousands of active installations worldwide with more than 1 million users.
Viktor Gazdag NCC Group Security Consultant has manually tested hundreds of Jenkins plugins and discovered security flaws in over 100 of them.
Jenkins plugins allow to implement additional functionalities like Active Directory authentication, or solve reoccurring tasks such as executing a static code
Most of the issues are password storage in plain text, and cross-site request forgery (CSRF) issues with missing permission checks that could be exploited by attackers steal credentials.
“Although Jenkins encrypts the passwords in the credentials.xml file, some of the plugin developers made use of other ways to store the credentials in the plugin’s own .xml file or in the job’s config.xml file. In the majority of cases these solutions did not involve any encryption.” reads the analysis published by Gazdag.
“In addition, sometimes the web form where the user submits the credentials revealed the password or the secret token and did not use the correct Jelly form control,”
The expert pointed out that the default installation had the default permission readable on the credentials.xml file, which is the plugin’s global configuration xml file, and in each of the jobs’ config.xml.
“It is worth mentioning that a lot of Jenkins hacking tutorials only mention the credentials.xml file and do not discuss the other two files.”
he added. “Not to mention that the workspace folder could temporarily store some juicy information as well,”
The expert discovered that the CSRF flaws are related to functions implemented in the Jenkins plugins to allow users to test credentials and connect to a server.
These developers of test functions failed to implement an authorization mechanism based on user roles (require Overall/Administer permission) and to enforce POST requests, which will always require a CSRF token called Crumb.
Some of the vulnerable Jenkins plugins have been developed by third-party developers to access a wide range of services, including Twitter, AWS, and Azure.
Jenkins developers have released security advisories for unpatched vulnerabilities.
“Developers can prevent CSRF by enforcing POST requests and checking permissions with Jenkins.getInstance().checkPermission(Jenkins.ADMINISTER). For safer credential storing use Jenkins’ Secret and password field in the web form.” concludes the expert.