SlideShare a Scribd company logo

The Story, The Findings And The Fixes Behind More Than A 100 Jenkins Plugins Vulnerabilities

Download as PPTX, PDF
V
Viktor Gazdag

2019 DevOps World | Jenkins World Lisbon Conference slides. The Story, The Findings And The Fixes Behind More Than A 100 Jenkins Plugins Vulnerabilities

1 of 43
Download to read offline
The Story, The Findings And The Fixes Behind More Than A 100 Jenkins Plugins Vulnerabilities Viktor Gazdag
© 2019 All Rights Reserved. 2 Timeline • Who Am I • Goal Of The Talk • Statistics • The Story • The Findings • The Fixes • Report Vulnerability • Related Articles • Q&A
© 2019 All Rights Reserved. 3 Who Am I • Security Consultant at NCC Group • IT Helpdesk, System Administrator, System Engineer • Ethical Hacking Specialist, Security Consultant • 2019 Jenkins Security MVP • CRT, OSCP, eWPT, eWPTX, eMAPT • MCSE 2012, NS0-155 • Travel, Video Games, Security Research
© 2019 All Rights Reserved. 4 Thank You • Jenkins / CloudBees - Daniel Beck • NCC Group - Matt Lewis, Mario Iregui, Bernardo Damele, Jennifer Fernick, Simon Harraghy, Balazs Bucsay • Irene Michlin, Soroush Dalili
© 2019 All Rights Reserved. 5 Goal Of The Talk • Why – Give Back To The Community, Raise Awareness • How – Show The Problems And Fixes • What – Presentation, Blog, Advisories, White Paper*, Tool*
© 2019 All Rights Reserved. 6 Core and Plugin Vulnerabilities By Years • Core And Plugins • SECURITY-* And CVE-* 0 50 100 150 200 250 300 350 2010 2011 2012 2013 2014 2015 2016 2017 2018 2019 Vulnerabilities and Advisories By Year Vulnerability Advisory
© 2019 All Rights Reserved. 7 The Story • Started With A Project • Continued With A Jenkins Advisory • Triggered By A Second Advisory
© 2019 All Rights Reserved. 8 The Findings • Credentials Stored In Plain Text, CSRF, SSRF, XSS, TLS Certificate Validation Disabled, Missing Permission Check • 15 Advisories, 128 Jenkins Plugin Vulnerabilities and 1 Core Vulnerability, 118 CVEs, 1 CVE Pending, 10 Issues Without CVEs
© 2019 All Rights Reserved. 9 Distribution Of The Vulnerability Types Submitted And Released Findings (2017.11 – 2019.10) 0 10 20 30 40 50 60 70 80 Credentials stored plain text CSRF Missing permission check SSRF with permission check CSRF with permission check TLS certificate validation disabled XSS Core and Plugin Vulnerabilities
© 2019 All Rights Reserved. 10 Findings - Tools • Black Box Test • Burp Suite Pro • Linux • netcat, cat, less, ls, openssl, python, vi • Simple Python program with Self- Signed SSL Certificate • Browser • Looked For Specific Issues
© 2019 All Rights Reserved. 11 The Findings • Credentials Stored In Plain Text
© 2019 All Rights Reserved. 12 The Findings • Credentials Stored In Plain Text • Web Form
© 2019 All Rights Reserved. 13 The Findings • Credentials Stored In Plain Text
© 2019 All Rights Reserved. 14 The Findings • Credentials Stored In Plain Text • Multiple Path • /var/lib/Jenkins/*.xml
© 2019 All Rights Reserved. 15 The Findings • Credentials Stored In Plain Text
© 2019 All Rights Reserved. 16 The Findings • Credentials Stored In Plain Text • Multiple Path • /var/lib/Jenkins/job/TestJob/con fig.xml
© 2019 All Rights Reserved. 17 The Findings • Missing Permission Check
© 2019 All Rights Reserved. 18 The Findings • Cross-Site Request Forgery (CSRF) And Missing Permission Check Allowed Capturing Credentials • “CSRF is an attack that forces an end user to execute unwanted actions on a web application in which they're currently authenticated.” - OWASP
© 2019 All Rights Reserved. 19 The Findings • CSRF And Missing Permission Check Allowed Capturing Credentials
© 2019 All Rights Reserved. 20 The Findings • CSRF And Missing Permission Check Allowed Capturing Credentials
© 2019 All Rights Reserved. 21 The Findings • CSRF And Missing Permission Check Allowed Capturing Credentials
© 2019 All Rights Reserved. 22 The Findings • CSRF And Missing Permission Check Allowed Capturing Credentials
© 2019 All Rights Reserved. 23 The Findings • CSRF And Missing Permission Check Lead to Server-Side Request Forgery (SSRF) • “In a SSRF attack the attacker can change a parameter used on the web application to create or control requests from the vulnerable server.” - Netsparker
© 2019 All Rights Reserved. 24 The Findings • CSRF And Missing Permission Check Lead to SSRF
© 2019 All Rights Reserved. 25 The Findings • Cross-Site Scripting (XSS) • Reflected, Stored, DOM • “XSS attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites.” - OWASP
© 2019 All Rights Reserved. 26 The Findings • XSS
© 2019 All Rights Reserved. 27 The Findings • XSS
© 2019 All Rights Reserved. 28 The Fixes • Credentials Stored In Plain Text
© 2019 All Rights Reserved. 29 The Fixes • Credentials Stored In Plain Text • Using a Secret Type Offered By Jenkins • 3rd Party Plugin Called Credentials Plugin
© 2019 All Rights Reserved. 30 The Fixes • Credentials Stored In Plain Text
© 2019 All Rights Reserved. 31 The Fixes • Credentials Stored In Plain Text
© 2019 All Rights Reserved. 32 The Fixes • Credentials Stored In Plain Text
© 2019 All Rights Reserved. 33 The Fixes • CSRF
© 2019 All Rights Reserved. 34 The Fixes • CSRF
© 2019 All Rights Reserved. 35 The Fixes • CSRF
© 2019 All Rights Reserved. 36 The Fixes • CSRF
© 2019 All Rights Reserved. 37 The Fixes • Missing Permission Check
© 2019 All Rights Reserved. 38 The Fixes • XSS
© 2019 All Rights Reserved. 39 The Fixes • XSS
© 2019 All Rights Reserved. 40 Report Vulnerability • Where To Report: • Jenkins: https://jenkins.io/security/ • CloudBees: https://www.cloudbees.com/security-policy • Jenkins JIRA: https://issues.jenkins-ci.org/browse/SECURITY • Include The Following: • Check Previous Issues: https://jenkins.io/security/advisories/ • Core And Plugin Version • Description • Reproduction Steps • Proof Of Concept (Screenshots, Console Outputs etc.) • Deadline (Optional)
© 2019 All Rights Reserved. 41 Related Articles • Storing Secret: • On Disk And Configuration Forms: https://jenkins.io/doc/developer/security/secrets/ • CSRF: • Form Validation And CSRF: https://jenkins.io/doc/developer/security/form-validation/ • XSS: • XSS Prevention: https://jenkins.io/doc/developer/security/xss-prevention/ • Other: • Blog Post: https://www.nccgroup.trust/uk/about-us/newsroom-and- events/blogs/2019/may/story-of-a-hundred-vulnerable-jenkins-plugins/ • Teaser Blog Post: https://jenkins.io/blog/2019/11/29/do-plugins-store-credentials-in-a- secure-way/ • Technical Advisory: https://www.nccgroup.trust/uk/our-research/jenkins-plugins-and-core- technical-summary-advisory/?research=Technical+advisories
© 2019 All Rights Reserved. 42 Questions Feel Free To Ask Personally Email viktor.gazdag@nccgroup.com
Thank You
Ad

Recommended

Ntxissacsc5 purple 5-insider threat-_andy_thompson
Ntxissacsc5 purple 5-insider threat-_andy_thompsonNtxissacsc5 purple 5-insider threat-_andy_thompson
Ntxissacsc5 purple 5-insider threat-_andy_thompson
North Texas Chapter of the ISSA
 
Building RPZ into the Janet Network resolver service
Building RPZ into the Janet Network resolver serviceBuilding RPZ into the Janet Network resolver service
Building RPZ into the Janet Network resolver service
Jisc
 
Have the Bad Guys Won the Cyber security War...
Have the Bad Guys Won the Cyber security War...Have the Bad Guys Won the Cyber security War...
Have the Bad Guys Won the Cyber security War...
Andrew Hammond
 
From Mirai to Monero – One Year’s Worth of Honeypot Data
From Mirai to Monero – One Year’s Worth of Honeypot DataFrom Mirai to Monero – One Year’s Worth of Honeypot Data
From Mirai to Monero – One Year’s Worth of Honeypot Data
DefCamp
 
ION Hangzhou - Why Deploy DNSSEC?
ION Hangzhou - Why Deploy DNSSEC?ION Hangzhou - Why Deploy DNSSEC?
ION Hangzhou - Why Deploy DNSSEC?
Deploy360 Programme (Internet Society)
 
Rethinking Application Security for cloud-native era
Rethinking Application Security for cloud-native eraRethinking Application Security for cloud-native era
Rethinking Application Security for cloud-native era
Priyanka Aash
 
Protecting Your IP: Data Security for Software Technology
Protecting Your IP: Data Security for Software TechnologyProtecting Your IP: Data Security for Software Technology
Protecting Your IP: Data Security for Software Technology
Shawn Tuma
 
Iurii Garasym - Cloud Security Alliance Now in Ukraine. Mission, Opportunitie...
Iurii Garasym - Cloud Security Alliance Now in Ukraine. Mission, Opportunitie...Iurii Garasym - Cloud Security Alliance Now in Ukraine. Mission, Opportunitie...
Iurii Garasym - Cloud Security Alliance Now in Ukraine. Mission, Opportunitie...
Cloud Security Alliance Lviv Chapter
 
Thinking about Jenkins Security
Thinking about Jenkins SecurityThinking about Jenkins Security
Thinking about Jenkins Security
Mark Waite
 
Webinar–Reviewing Modern JavaScript Applications
Webinar–Reviewing Modern JavaScript ApplicationsWebinar–Reviewing Modern JavaScript Applications
Webinar–Reviewing Modern JavaScript Applications
Synopsys Software Integrity Group
 
From Zero to DevOps Superhero: The Container Edition (JenkinsWorld SF)
From Zero to DevOps Superhero: The Container Edition (JenkinsWorld SF)From Zero to DevOps Superhero: The Container Edition (JenkinsWorld SF)
From Zero to DevOps Superhero: The Container Edition (JenkinsWorld SF)
Jessica Deen
 
The As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native ApplicationsThe As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native Applications
Denim Group
 
Certificate Pinning: Not as Simple as It Sounds
Certificate Pinning: Not as Simple as It Sounds Certificate Pinning: Not as Simple as It Sounds
Certificate Pinning: Not as Simple as It Sounds
Synopsys Software Integrity Group
 
Webinar – Security Tool Misconfiguration and Abuse
Webinar – Security Tool Misconfiguration and AbuseWebinar – Security Tool Misconfiguration and Abuse
Webinar – Security Tool Misconfiguration and Abuse
Synopsys Software Integrity Group
 
Webinar–Creating a Modern AppSec Toolchain to Quantify Service Risks
Webinar–Creating a Modern AppSec Toolchain to Quantify Service RisksWebinar–Creating a Modern AppSec Toolchain to Quantify Service Risks
Webinar–Creating a Modern AppSec Toolchain to Quantify Service Risks
Synopsys Software Integrity Group
 
Webinar–OWASP Top 10 for JavaScript for Developers
Webinar–OWASP Top 10 for JavaScript for DevelopersWebinar–OWASP Top 10 for JavaScript for Developers
Webinar–OWASP Top 10 for JavaScript for Developers
Synopsys Software Integrity Group
 
Leaving Passwords Behind (Software Design & Development 2019)
Leaving Passwords Behind (Software Design & Development 2019)Leaving Passwords Behind (Software Design & Development 2019)
Leaving Passwords Behind (Software Design & Development 2019)
Scott Brady
 
Why defensive research is sexy too.. … and a real sign of skill
Why defensive research is sexy too.. … and a real sign of skillWhy defensive research is sexy too.. … and a real sign of skill
Why defensive research is sexy too.. … and a real sign of skill
Ollie Whitehouse
 
Dwjw2019 Lisbon - Training-as-code- applying CI & CD to training development
Dwjw2019 Lisbon - Training-as-code- applying CI & CD to training developmentDwjw2019 Lisbon - Training-as-code- applying CI & CD to training development
Dwjw2019 Lisbon - Training-as-code- applying CI & CD to training development
Romén Rodríguez-Gil
 
Practical White Hat Hacker Training - Passive Information Gathering(OSINT)
Practical White Hat Hacker Training - Passive Information Gathering(OSINT)Practical White Hat Hacker Training - Passive Information Gathering(OSINT)
Practical White Hat Hacker Training - Passive Information Gathering(OSINT)
PRISMA CSI
 
Common Security Misconception
Common Security MisconceptionCommon Security Misconception
Common Security Misconception
Matthew Ong
 
Beyond the Scan: The Value Proposition of Vulnerability Assessment
Beyond the Scan: The Value Proposition of Vulnerability AssessmentBeyond the Scan: The Value Proposition of Vulnerability Assessment
Beyond the Scan: The Value Proposition of Vulnerability Assessment
Damon Small
 
Game Changing Cyber Defensive Strategies for 2019
Game Changing Cyber Defensive Strategies for 2019Game Changing Cyber Defensive Strategies for 2019
Game Changing Cyber Defensive Strategies for 2019
Fidelis Cybersecurity
 
Training as Code - Applying CI/CD to training
Training as Code - Applying CI/CD to trainingTraining as Code - Applying CI/CD to training
Training as Code - Applying CI/CD to training
Mark Waite
 
Defcon 23 - damon small - beyond the scan
Defcon 23 - damon small - beyond the scanDefcon 23 - damon small - beyond the scan
Defcon 23 - damon small - beyond the scan
Felipe Prado
 
EDB Postgres in Public Sector
EDB Postgres in Public SectorEDB Postgres in Public Sector
EDB Postgres in Public Sector
Kangaroot
 
Cisco Connect Vancouver 2017 - Embedding IR into the DNA of the business
Cisco Connect Vancouver 2017 - Embedding IR into the DNA of the businessCisco Connect Vancouver 2017 - Embedding IR into the DNA of the business
Cisco Connect Vancouver 2017 - Embedding IR into the DNA of the business
Cisco Canada
 
Creating secure apps using the salesforce mobile sdk
Creating secure apps using the salesforce mobile sdkCreating secure apps using the salesforce mobile sdk
Creating secure apps using the salesforce mobile sdk
Martin Vigo
 
HCL Nomad Web – Best Practices und Verwaltung von Multiuser-Umgebungen
HCL Nomad Web – Best Practices und Verwaltung von Multiuser-UmgebungenHCL Nomad Web – Best Practices und Verwaltung von Multiuser-Umgebungen
HCL Nomad Web – Best Practices und Verwaltung von Multiuser-Umgebungen
panagenda
 
Cybersecurity Identity and Access Solutions using Azure AD
Cybersecurity Identity and Access Solutions using Azure ADCybersecurity Identity and Access Solutions using Azure AD
Cybersecurity Identity and Access Solutions using Azure AD
VICTOR MAESTRE RAMIREZ
 
Ad

More Related Content

Similar to The Story, The Findings And The Fixes Behind More Than A 100 Jenkins Plugins Vulnerabilities (20)

Thinking about Jenkins Security
Thinking about Jenkins SecurityThinking about Jenkins Security
Thinking about Jenkins Security
Mark Waite
 
Webinar–Reviewing Modern JavaScript Applications
Webinar–Reviewing Modern JavaScript ApplicationsWebinar–Reviewing Modern JavaScript Applications
Webinar–Reviewing Modern JavaScript Applications
Synopsys Software Integrity Group
 
From Zero to DevOps Superhero: The Container Edition (JenkinsWorld SF)
From Zero to DevOps Superhero: The Container Edition (JenkinsWorld SF)From Zero to DevOps Superhero: The Container Edition (JenkinsWorld SF)
From Zero to DevOps Superhero: The Container Edition (JenkinsWorld SF)
Jessica Deen
 
The As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native ApplicationsThe As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native Applications
Denim Group
 
Certificate Pinning: Not as Simple as It Sounds
Certificate Pinning: Not as Simple as It Sounds Certificate Pinning: Not as Simple as It Sounds
Certificate Pinning: Not as Simple as It Sounds
Synopsys Software Integrity Group
 
Webinar – Security Tool Misconfiguration and Abuse
Webinar – Security Tool Misconfiguration and AbuseWebinar – Security Tool Misconfiguration and Abuse
Webinar – Security Tool Misconfiguration and Abuse
Synopsys Software Integrity Group
 
Webinar–Creating a Modern AppSec Toolchain to Quantify Service Risks
Webinar–Creating a Modern AppSec Toolchain to Quantify Service RisksWebinar–Creating a Modern AppSec Toolchain to Quantify Service Risks
Webinar–Creating a Modern AppSec Toolchain to Quantify Service Risks
Synopsys Software Integrity Group
 
Webinar–OWASP Top 10 for JavaScript for Developers
Webinar–OWASP Top 10 for JavaScript for DevelopersWebinar–OWASP Top 10 for JavaScript for Developers
Webinar–OWASP Top 10 for JavaScript for Developers
Synopsys Software Integrity Group
 
Leaving Passwords Behind (Software Design & Development 2019)
Leaving Passwords Behind (Software Design & Development 2019)Leaving Passwords Behind (Software Design & Development 2019)
Leaving Passwords Behind (Software Design & Development 2019)
Scott Brady
 
Why defensive research is sexy too.. … and a real sign of skill
Why defensive research is sexy too.. … and a real sign of skillWhy defensive research is sexy too.. … and a real sign of skill
Why defensive research is sexy too.. … and a real sign of skill
Ollie Whitehouse
 
Dwjw2019 Lisbon - Training-as-code- applying CI & CD to training development
Dwjw2019 Lisbon - Training-as-code- applying CI & CD to training developmentDwjw2019 Lisbon - Training-as-code- applying CI & CD to training development
Dwjw2019 Lisbon - Training-as-code- applying CI & CD to training development
Romén Rodríguez-Gil
 
Practical White Hat Hacker Training - Passive Information Gathering(OSINT)
Practical White Hat Hacker Training - Passive Information Gathering(OSINT)Practical White Hat Hacker Training - Passive Information Gathering(OSINT)
Practical White Hat Hacker Training - Passive Information Gathering(OSINT)
PRISMA CSI
 
Common Security Misconception
Common Security MisconceptionCommon Security Misconception
Common Security Misconception
Matthew Ong
 
Beyond the Scan: The Value Proposition of Vulnerability Assessment
Beyond the Scan: The Value Proposition of Vulnerability AssessmentBeyond the Scan: The Value Proposition of Vulnerability Assessment
Beyond the Scan: The Value Proposition of Vulnerability Assessment
Damon Small
 
Game Changing Cyber Defensive Strategies for 2019
Game Changing Cyber Defensive Strategies for 2019Game Changing Cyber Defensive Strategies for 2019
Game Changing Cyber Defensive Strategies for 2019
Fidelis Cybersecurity
 
Training as Code - Applying CI/CD to training
Training as Code - Applying CI/CD to trainingTraining as Code - Applying CI/CD to training
Training as Code - Applying CI/CD to training
Mark Waite
 
Defcon 23 - damon small - beyond the scan
Defcon 23 - damon small - beyond the scanDefcon 23 - damon small - beyond the scan
Defcon 23 - damon small - beyond the scan
Felipe Prado
 
EDB Postgres in Public Sector
EDB Postgres in Public SectorEDB Postgres in Public Sector
EDB Postgres in Public Sector
Kangaroot
 
Cisco Connect Vancouver 2017 - Embedding IR into the DNA of the business
Cisco Connect Vancouver 2017 - Embedding IR into the DNA of the businessCisco Connect Vancouver 2017 - Embedding IR into the DNA of the business
Cisco Connect Vancouver 2017 - Embedding IR into the DNA of the business
Cisco Canada
 
Creating secure apps using the salesforce mobile sdk
Creating secure apps using the salesforce mobile sdkCreating secure apps using the salesforce mobile sdk
Creating secure apps using the salesforce mobile sdk
Martin Vigo
 
Thinking about Jenkins Security
Thinking about Jenkins SecurityThinking about Jenkins Security
Thinking about Jenkins Security
Mark Waite
 
Webinar–Reviewing Modern JavaScript Applications
Webinar–Reviewing Modern JavaScript ApplicationsWebinar–Reviewing Modern JavaScript Applications
Webinar–Reviewing Modern JavaScript Applications
Synopsys Software Integrity Group
 
From Zero to DevOps Superhero: The Container Edition (JenkinsWorld SF)
From Zero to DevOps Superhero: The Container Edition (JenkinsWorld SF)From Zero to DevOps Superhero: The Container Edition (JenkinsWorld SF)
From Zero to DevOps Superhero: The Container Edition (JenkinsWorld SF)
Jessica Deen
 
The As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native ApplicationsThe As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native Applications
Denim Group
 
Certificate Pinning: Not as Simple as It Sounds
Certificate Pinning: Not as Simple as It Sounds Certificate Pinning: Not as Simple as It Sounds
Certificate Pinning: Not as Simple as It Sounds
Synopsys Software Integrity Group
 
Webinar – Security Tool Misconfiguration and Abuse
Webinar – Security Tool Misconfiguration and AbuseWebinar – Security Tool Misconfiguration and Abuse
Webinar – Security Tool Misconfiguration and Abuse
Synopsys Software Integrity Group
 
Webinar–Creating a Modern AppSec Toolchain to Quantify Service Risks
Webinar–Creating a Modern AppSec Toolchain to Quantify Service RisksWebinar–Creating a Modern AppSec Toolchain to Quantify Service Risks
Webinar–Creating a Modern AppSec Toolchain to Quantify Service Risks
Synopsys Software Integrity Group
 
Webinar–OWASP Top 10 for JavaScript for Developers
Webinar–OWASP Top 10 for JavaScript for DevelopersWebinar–OWASP Top 10 for JavaScript for Developers
Webinar–OWASP Top 10 for JavaScript for Developers
Synopsys Software Integrity Group
 
Leaving Passwords Behind (Software Design & Development 2019)
Leaving Passwords Behind (Software Design & Development 2019)Leaving Passwords Behind (Software Design & Development 2019)
Leaving Passwords Behind (Software Design & Development 2019)
Scott Brady
 
Why defensive research is sexy too.. … and a real sign of skill
Why defensive research is sexy too.. … and a real sign of skillWhy defensive research is sexy too.. … and a real sign of skill
Why defensive research is sexy too.. … and a real sign of skill
Ollie Whitehouse
 
Dwjw2019 Lisbon - Training-as-code- applying CI & CD to training development
Dwjw2019 Lisbon - Training-as-code- applying CI & CD to training developmentDwjw2019 Lisbon - Training-as-code- applying CI & CD to training development
Dwjw2019 Lisbon - Training-as-code- applying CI & CD to training development
Romén Rodríguez-Gil
 
Practical White Hat Hacker Training - Passive Information Gathering(OSINT)
Practical White Hat Hacker Training - Passive Information Gathering(OSINT)Practical White Hat Hacker Training - Passive Information Gathering(OSINT)
Practical White Hat Hacker Training - Passive Information Gathering(OSINT)
PRISMA CSI
 
Common Security Misconception
Common Security MisconceptionCommon Security Misconception
Common Security Misconception
Matthew Ong
 
Beyond the Scan: The Value Proposition of Vulnerability Assessment
Beyond the Scan: The Value Proposition of Vulnerability AssessmentBeyond the Scan: The Value Proposition of Vulnerability Assessment
Beyond the Scan: The Value Proposition of Vulnerability Assessment
Damon Small
 
Game Changing Cyber Defensive Strategies for 2019
Game Changing Cyber Defensive Strategies for 2019Game Changing Cyber Defensive Strategies for 2019
Game Changing Cyber Defensive Strategies for 2019
Fidelis Cybersecurity
 
Training as Code - Applying CI/CD to training
Training as Code - Applying CI/CD to trainingTraining as Code - Applying CI/CD to training
Training as Code - Applying CI/CD to training
Mark Waite
 
Defcon 23 - damon small - beyond the scan
Defcon 23 - damon small - beyond the scanDefcon 23 - damon small - beyond the scan
Defcon 23 - damon small - beyond the scan
Felipe Prado
 
EDB Postgres in Public Sector
EDB Postgres in Public SectorEDB Postgres in Public Sector
EDB Postgres in Public Sector
Kangaroot
 
Cisco Connect Vancouver 2017 - Embedding IR into the DNA of the business
Cisco Connect Vancouver 2017 - Embedding IR into the DNA of the businessCisco Connect Vancouver 2017 - Embedding IR into the DNA of the business
Cisco Connect Vancouver 2017 - Embedding IR into the DNA of the business
Cisco Canada
 
Creating secure apps using the salesforce mobile sdk
Creating secure apps using the salesforce mobile sdkCreating secure apps using the salesforce mobile sdk
Creating secure apps using the salesforce mobile sdk
Martin Vigo
 

Recently uploaded (20)

HCL Nomad Web – Best Practices und Verwaltung von Multiuser-Umgebungen
HCL Nomad Web – Best Practices und Verwaltung von Multiuser-UmgebungenHCL Nomad Web – Best Practices und Verwaltung von Multiuser-Umgebungen
HCL Nomad Web – Best Practices und Verwaltung von Multiuser-Umgebungen
panagenda
 
Cybersecurity Identity and Access Solutions using Azure AD
Cybersecurity Identity and Access Solutions using Azure ADCybersecurity Identity and Access Solutions using Azure AD
Cybersecurity Identity and Access Solutions using Azure AD
VICTOR MAESTRE RAMIREZ
 
Dev Dives: Automate and orchestrate your processes with UiPath Maestro
Dev Dives: Automate and orchestrate your processes with UiPath MaestroDev Dives: Automate and orchestrate your processes with UiPath Maestro
Dev Dives: Automate and orchestrate your processes with UiPath Maestro
UiPathCommunity
 
Build Your Own Copilot & Agents For Devs
Build Your Own Copilot & Agents For DevsBuild Your Own Copilot & Agents For Devs
Build Your Own Copilot & Agents For Devs
Brian McKeiver
 
DevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptx
DevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptxDevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptx
DevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptx
Justin Reock
 
UiPath Community Berlin: Orchestrator API, Swagger, and Test Manager API
UiPath Community Berlin: Orchestrator API, Swagger, and Test Manager APIUiPath Community Berlin: Orchestrator API, Swagger, and Test Manager API
UiPath Community Berlin: Orchestrator API, Swagger, and Test Manager API
UiPathCommunity
 
Procurement Insights Cost To Value Guide.pptx
Procurement Insights Cost To Value Guide.pptxProcurement Insights Cost To Value Guide.pptx
Procurement Insights Cost To Value Guide.pptx
Jon Hansen
 
AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...
AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...
AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...
Alan Dix
 
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In France
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In FranceManifest Pre-Seed Update | A Humanoid OEM Deeptech In France
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In France
chb3
 
Linux Support for SMARC: How Toradex Empowers Embedded Developers
Linux Support for SMARC: How Toradex Empowers Embedded DevelopersLinux Support for SMARC: How Toradex Empowers Embedded Developers
Linux Support for SMARC: How Toradex Empowers Embedded Developers
Toradex
 
The Evolution of Meme Coins A New Era for Digital Currency ppt.pdf
The Evolution of Meme Coins A New Era for Digital Currency ppt.pdfThe Evolution of Meme Coins A New Era for Digital Currency ppt.pdf
The Evolution of Meme Coins A New Era for Digital Currency ppt.pdf
Abi john
 
ThousandEyes Partner Innovation Updates for May 2025
ThousandEyes Partner Innovation Updates for May 2025ThousandEyes Partner Innovation Updates for May 2025
ThousandEyes Partner Innovation Updates for May 2025
ThousandEyes
 
Role of Data Annotation Services in AI-Powered Manufacturing
Role of Data Annotation Services in AI-Powered ManufacturingRole of Data Annotation Services in AI-Powered Manufacturing
Role of Data Annotation Services in AI-Powered Manufacturing
Andrew Leo
 
Designing Low-Latency Systems with Rust and ScyllaDB: An Architectural Deep Dive
Designing Low-Latency Systems with Rust and ScyllaDB: An Architectural Deep DiveDesigning Low-Latency Systems with Rust and ScyllaDB: An Architectural Deep Dive
Designing Low-Latency Systems with Rust and ScyllaDB: An Architectural Deep Dive
ScyllaDB
 
Linux Professional Institute LPIC-1 Exam.pdf
Linux Professional Institute LPIC-1 Exam.pdfLinux Professional Institute LPIC-1 Exam.pdf
Linux Professional Institute LPIC-1 Exam.pdf
RHCSA Guru
 
Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...
Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...
Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...
Aqusag Technologies
 
Splunk Security Update | Public Sector Summit Germany 2025
Splunk Security Update | Public Sector Summit Germany 2025Splunk Security Update | Public Sector Summit Germany 2025
Splunk Security Update | Public Sector Summit Germany 2025
Splunk
 
Mobile App Development Company in Saudi Arabia
Mobile App Development Company in Saudi ArabiaMobile App Development Company in Saudi Arabia
Mobile App Development Company in Saudi Arabia
Steve Jonas
 
tecnologias de las primeras civilizaciones.pdf
tecnologias de las primeras civilizaciones.pdftecnologias de las primeras civilizaciones.pdf
tecnologias de las primeras civilizaciones.pdf
fjgm517
 
Andrew Marnell: Transforming Business Strategy Through Data-Driven Insights
Andrew Marnell: Transforming Business Strategy Through Data-Driven InsightsAndrew Marnell: Transforming Business Strategy Through Data-Driven Insights
Andrew Marnell: Transforming Business Strategy Through Data-Driven Insights
Andrew Marnell
 
HCL Nomad Web – Best Practices und Verwaltung von Multiuser-Umgebungen
HCL Nomad Web – Best Practices und Verwaltung von Multiuser-UmgebungenHCL Nomad Web – Best Practices und Verwaltung von Multiuser-Umgebungen
HCL Nomad Web – Best Practices und Verwaltung von Multiuser-Umgebungen
panagenda
 
Cybersecurity Identity and Access Solutions using Azure AD
Cybersecurity Identity and Access Solutions using Azure ADCybersecurity Identity and Access Solutions using Azure AD
Cybersecurity Identity and Access Solutions using Azure AD
VICTOR MAESTRE RAMIREZ
 
Dev Dives: Automate and orchestrate your processes with UiPath Maestro
Dev Dives: Automate and orchestrate your processes with UiPath MaestroDev Dives: Automate and orchestrate your processes with UiPath Maestro
Dev Dives: Automate and orchestrate your processes with UiPath Maestro
UiPathCommunity
 
Build Your Own Copilot & Agents For Devs
Build Your Own Copilot & Agents For DevsBuild Your Own Copilot & Agents For Devs
Build Your Own Copilot & Agents For Devs
Brian McKeiver
 
DevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptx
DevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptxDevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptx
DevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptx
Justin Reock
 
UiPath Community Berlin: Orchestrator API, Swagger, and Test Manager API
UiPath Community Berlin: Orchestrator API, Swagger, and Test Manager APIUiPath Community Berlin: Orchestrator API, Swagger, and Test Manager API
UiPath Community Berlin: Orchestrator API, Swagger, and Test Manager API
UiPathCommunity
 
Procurement Insights Cost To Value Guide.pptx
Procurement Insights Cost To Value Guide.pptxProcurement Insights Cost To Value Guide.pptx
Procurement Insights Cost To Value Guide.pptx
Jon Hansen
 
AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...
AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...
AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...
Alan Dix
 
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In France
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In FranceManifest Pre-Seed Update | A Humanoid OEM Deeptech In France
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In France
chb3
 
Linux Support for SMARC: How Toradex Empowers Embedded Developers
Linux Support for SMARC: How Toradex Empowers Embedded DevelopersLinux Support for SMARC: How Toradex Empowers Embedded Developers
Linux Support for SMARC: How Toradex Empowers Embedded Developers
Toradex
 
The Evolution of Meme Coins A New Era for Digital Currency ppt.pdf
The Evolution of Meme Coins A New Era for Digital Currency ppt.pdfThe Evolution of Meme Coins A New Era for Digital Currency ppt.pdf
The Evolution of Meme Coins A New Era for Digital Currency ppt.pdf
Abi john
 
ThousandEyes Partner Innovation Updates for May 2025
ThousandEyes Partner Innovation Updates for May 2025ThousandEyes Partner Innovation Updates for May 2025
ThousandEyes Partner Innovation Updates for May 2025
ThousandEyes
 
Role of Data Annotation Services in AI-Powered Manufacturing
Role of Data Annotation Services in AI-Powered ManufacturingRole of Data Annotation Services in AI-Powered Manufacturing
Role of Data Annotation Services in AI-Powered Manufacturing
Andrew Leo
 
Designing Low-Latency Systems with Rust and ScyllaDB: An Architectural Deep Dive
Designing Low-Latency Systems with Rust and ScyllaDB: An Architectural Deep DiveDesigning Low-Latency Systems with Rust and ScyllaDB: An Architectural Deep Dive
Designing Low-Latency Systems with Rust and ScyllaDB: An Architectural Deep Dive
ScyllaDB
 
Linux Professional Institute LPIC-1 Exam.pdf
Linux Professional Institute LPIC-1 Exam.pdfLinux Professional Institute LPIC-1 Exam.pdf
Linux Professional Institute LPIC-1 Exam.pdf
RHCSA Guru
 
Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...
Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...
Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...
Aqusag Technologies
 
Splunk Security Update | Public Sector Summit Germany 2025
Splunk Security Update | Public Sector Summit Germany 2025Splunk Security Update | Public Sector Summit Germany 2025
Splunk Security Update | Public Sector Summit Germany 2025
Splunk
 
Mobile App Development Company in Saudi Arabia
Mobile App Development Company in Saudi ArabiaMobile App Development Company in Saudi Arabia
Mobile App Development Company in Saudi Arabia
Steve Jonas
 
tecnologias de las primeras civilizaciones.pdf
tecnologias de las primeras civilizaciones.pdftecnologias de las primeras civilizaciones.pdf
tecnologias de las primeras civilizaciones.pdf
fjgm517
 
Andrew Marnell: Transforming Business Strategy Through Data-Driven Insights
Andrew Marnell: Transforming Business Strategy Through Data-Driven InsightsAndrew Marnell: Transforming Business Strategy Through Data-Driven Insights
Andrew Marnell: Transforming Business Strategy Through Data-Driven Insights
Andrew Marnell
 
Ad

The Story, The Findings And The Fixes Behind More Than A 100 Jenkins Plugins Vulnerabilities

  • 1. The Story, The Findings And The Fixes Behind More Than A 100 Jenkins Plugins Vulnerabilities Viktor Gazdag
  • 2. © 2019 All Rights Reserved. 2 Timeline • Who Am I • Goal Of The Talk • Statistics • The Story • The Findings • The Fixes • Report Vulnerability • Related Articles • Q&A
  • 3. © 2019 All Rights Reserved. 3 Who Am I • Security Consultant at NCC Group • IT Helpdesk, System Administrator, System Engineer • Ethical Hacking Specialist, Security Consultant • 2019 Jenkins Security MVP • CRT, OSCP, eWPT, eWPTX, eMAPT • MCSE 2012, NS0-155 • Travel, Video Games, Security Research
  • 4. © 2019 All Rights Reserved. 4 Thank You • Jenkins / CloudBees - Daniel Beck • NCC Group - Matt Lewis, Mario Iregui, Bernardo Damele, Jennifer Fernick, Simon Harraghy, Balazs Bucsay • Irene Michlin, Soroush Dalili
  • 5. © 2019 All Rights Reserved. 5 Goal Of The Talk • Why – Give Back To The Community, Raise Awareness • How – Show The Problems And Fixes • What – Presentation, Blog, Advisories, White Paper*, Tool*
  • 6. © 2019 All Rights Reserved. 6 Core and Plugin Vulnerabilities By Years • Core And Plugins • SECURITY-* And CVE-* 0 50 100 150 200 250 300 350 2010 2011 2012 2013 2014 2015 2016 2017 2018 2019 Vulnerabilities and Advisories By Year Vulnerability Advisory
  • 7. © 2019 All Rights Reserved. 7 The Story • Started With A Project • Continued With A Jenkins Advisory • Triggered By A Second Advisory
  • 8. © 2019 All Rights Reserved. 8 The Findings • Credentials Stored In Plain Text, CSRF, SSRF, XSS, TLS Certificate Validation Disabled, Missing Permission Check • 15 Advisories, 128 Jenkins Plugin Vulnerabilities and 1 Core Vulnerability, 118 CVEs, 1 CVE Pending, 10 Issues Without CVEs
  • 9. © 2019 All Rights Reserved. 9 Distribution Of The Vulnerability Types Submitted And Released Findings (2017.11 – 2019.10) 0 10 20 30 40 50 60 70 80 Credentials stored plain text CSRF Missing permission check SSRF with permission check CSRF with permission check TLS certificate validation disabled XSS Core and Plugin Vulnerabilities
  • 10. © 2019 All Rights Reserved. 10 Findings - Tools • Black Box Test • Burp Suite Pro • Linux • netcat, cat, less, ls, openssl, python, vi • Simple Python program with Self- Signed SSL Certificate • Browser • Looked For Specific Issues
  • 11. © 2019 All Rights Reserved. 11 The Findings • Credentials Stored In Plain Text
  • 12. © 2019 All Rights Reserved. 12 The Findings • Credentials Stored In Plain Text • Web Form
  • 13. © 2019 All Rights Reserved. 13 The Findings • Credentials Stored In Plain Text
  • 14. © 2019 All Rights Reserved. 14 The Findings • Credentials Stored In Plain Text • Multiple Path • /var/lib/Jenkins/*.xml
  • 15. © 2019 All Rights Reserved. 15 The Findings • Credentials Stored In Plain Text
  • 16. © 2019 All Rights Reserved. 16 The Findings • Credentials Stored In Plain Text • Multiple Path • /var/lib/Jenkins/job/TestJob/con fig.xml
  • 17. © 2019 All Rights Reserved. 17 The Findings • Missing Permission Check
  • 18. © 2019 All Rights Reserved. 18 The Findings • Cross-Site Request Forgery (CSRF) And Missing Permission Check Allowed Capturing Credentials • “CSRF is an attack that forces an end user to execute unwanted actions on a web application in which they're currently authenticated.” - OWASP
  • 19. © 2019 All Rights Reserved. 19 The Findings • CSRF And Missing Permission Check Allowed Capturing Credentials
  • 20. © 2019 All Rights Reserved. 20 The Findings • CSRF And Missing Permission Check Allowed Capturing Credentials
  • 21. © 2019 All Rights Reserved. 21 The Findings • CSRF And Missing Permission Check Allowed Capturing Credentials
  • 22. © 2019 All Rights Reserved. 22 The Findings • CSRF And Missing Permission Check Allowed Capturing Credentials
  • 23. © 2019 All Rights Reserved. 23 The Findings • CSRF And Missing Permission Check Lead to Server-Side Request Forgery (SSRF) • “In a SSRF attack the attacker can change a parameter used on the web application to create or control requests from the vulnerable server.” - Netsparker
  • 24. © 2019 All Rights Reserved. 24 The Findings • CSRF And Missing Permission Check Lead to SSRF
  • 25. © 2019 All Rights Reserved. 25 The Findings • Cross-Site Scripting (XSS) • Reflected, Stored, DOM • “XSS attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites.” - OWASP
  • 26. © 2019 All Rights Reserved. 26 The Findings • XSS
  • 27. © 2019 All Rights Reserved. 27 The Findings • XSS
  • 28. © 2019 All Rights Reserved. 28 The Fixes • Credentials Stored In Plain Text
  • 29. © 2019 All Rights Reserved. 29 The Fixes • Credentials Stored In Plain Text • Using a Secret Type Offered By Jenkins • 3rd Party Plugin Called Credentials Plugin
  • 30. © 2019 All Rights Reserved. 30 The Fixes • Credentials Stored In Plain Text
  • 31. © 2019 All Rights Reserved. 31 The Fixes • Credentials Stored In Plain Text
  • 32. © 2019 All Rights Reserved. 32 The Fixes • Credentials Stored In Plain Text
  • 33. © 2019 All Rights Reserved. 33 The Fixes • CSRF
  • 34. © 2019 All Rights Reserved. 34 The Fixes • CSRF
  • 35. © 2019 All Rights Reserved. 35 The Fixes • CSRF
  • 36. © 2019 All Rights Reserved. 36 The Fixes • CSRF
  • 37. © 2019 All Rights Reserved. 37 The Fixes • Missing Permission Check
  • 38. © 2019 All Rights Reserved. 38 The Fixes • XSS
  • 39. © 2019 All Rights Reserved. 39 The Fixes • XSS
  • 40. © 2019 All Rights Reserved. 40 Report Vulnerability • Where To Report: • Jenkins: https://jenkins.io/security/ • CloudBees: https://www.cloudbees.com/security-policy • Jenkins JIRA: https://issues.jenkins-ci.org/browse/SECURITY • Include The Following: • Check Previous Issues: https://jenkins.io/security/advisories/ • Core And Plugin Version • Description • Reproduction Steps • Proof Of Concept (Screenshots, Console Outputs etc.) • Deadline (Optional)
  • 41. © 2019 All Rights Reserved. 41 Related Articles • Storing Secret: • On Disk And Configuration Forms: https://jenkins.io/doc/developer/security/secrets/ • CSRF: • Form Validation And CSRF: https://jenkins.io/doc/developer/security/form-validation/ • XSS: • XSS Prevention: https://jenkins.io/doc/developer/security/xss-prevention/ • Other: • Blog Post: https://www.nccgroup.trust/uk/about-us/newsroom-and- events/blogs/2019/may/story-of-a-hundred-vulnerable-jenkins-plugins/ • Teaser Blog Post: https://jenkins.io/blog/2019/11/29/do-plugins-store-credentials-in-a- secure-way/ • Technical Advisory: https://www.nccgroup.trust/uk/our-research/jenkins-plugins-and-core- technical-summary-advisory/?research=Technical+advisories
  • 42. © 2019 All Rights Reserved. 42 Questions Feel Free To Ask Personally Email [email protected]