SlideShare a Scribd company logo

The Story, The Findings And The Fixes Behind More Than A 100 Jenkins Plugins Vulnerabilities

Download as PPTX, PDF
V
Viktor Gazdag

2019 DevOps World | Jenkins World Lisbon Conference slides. The Story, The Findings And The Fixes Behind More Than A 100 Jenkins Plugins Vulnerabilities

Technology
1 of 43
The Story, The Findings And The Fixes Behind More Than A 100 Jenkins Plugins Vulnerabilities Viktor Gazdag
© 2019 All Rights Reserved. 2 Timeline • Who Am I • Goal Of The Talk • Statistics • The Story • The Findings • The Fixes • Report Vulnerability • Related Articles • Q&A
© 2019 All Rights Reserved. 3 Who Am I • Security Consultant at NCC Group • IT Helpdesk, System Administrator, System Engineer • Ethical Hacking Specialist, Security Consultant • 2019 Jenkins Security MVP • CRT, OSCP, eWPT, eWPTX, eMAPT • MCSE 2012, NS0-155 • Travel, Video Games, Security Research
© 2019 All Rights Reserved. 4 Thank You • Jenkins / CloudBees - Daniel Beck • NCC Group - Matt Lewis, Mario Iregui, Bernardo Damele, Jennifer Fernick, Simon Harraghy, Balazs Bucsay • Irene Michlin, Soroush Dalili
© 2019 All Rights Reserved. 5 Goal Of The Talk • Why – Give Back To The Community, Raise Awareness • How – Show The Problems And Fixes • What – Presentation, Blog, Advisories, White Paper*, Tool*
© 2019 All Rights Reserved. 6 Core and Plugin Vulnerabilities By Years • Core And Plugins • SECURITY-* And CVE-* 0 50 100 150 200 250 300 350 2010 2011 2012 2013 2014 2015 2016 2017 2018 2019 Vulnerabilities and Advisories By Year Vulnerability Advisory
© 2019 All Rights Reserved. 7 The Story • Started With A Project • Continued With A Jenkins Advisory • Triggered By A Second Advisory
© 2019 All Rights Reserved. 8 The Findings • Credentials Stored In Plain Text, CSRF, SSRF, XSS, TLS Certificate Validation Disabled, Missing Permission Check • 15 Advisories, 128 Jenkins Plugin Vulnerabilities and 1 Core Vulnerability, 118 CVEs, 1 CVE Pending, 10 Issues Without CVEs
© 2019 All Rights Reserved. 9 Distribution Of The Vulnerability Types Submitted And Released Findings (2017.11 – 2019.10) 0 10 20 30 40 50 60 70 80 Credentials stored plain text CSRF Missing permission check SSRF with permission check CSRF with permission check TLS certificate validation disabled XSS Core and Plugin Vulnerabilities
© 2019 All Rights Reserved. 10 Findings - Tools • Black Box Test • Burp Suite Pro • Linux • netcat, cat, less, ls, openssl, python, vi • Simple Python program with Self- Signed SSL Certificate • Browser • Looked For Specific Issues
© 2019 All Rights Reserved. 11 The Findings • Credentials Stored In Plain Text
© 2019 All Rights Reserved. 12 The Findings • Credentials Stored In Plain Text • Web Form
© 2019 All Rights Reserved. 13 The Findings • Credentials Stored In Plain Text
© 2019 All Rights Reserved. 14 The Findings • Credentials Stored In Plain Text • Multiple Path • /var/lib/Jenkins/*.xml
© 2019 All Rights Reserved. 15 The Findings • Credentials Stored In Plain Text
© 2019 All Rights Reserved. 16 The Findings • Credentials Stored In Plain Text • Multiple Path • /var/lib/Jenkins/job/TestJob/con fig.xml
© 2019 All Rights Reserved. 17 The Findings • Missing Permission Check
© 2019 All Rights Reserved. 18 The Findings • Cross-Site Request Forgery (CSRF) And Missing Permission Check Allowed Capturing Credentials • “CSRF is an attack that forces an end user to execute unwanted actions on a web application in which they're currently authenticated.” - OWASP
© 2019 All Rights Reserved. 19 The Findings • CSRF And Missing Permission Check Allowed Capturing Credentials
© 2019 All Rights Reserved. 20 The Findings • CSRF And Missing Permission Check Allowed Capturing Credentials
© 2019 All Rights Reserved. 21 The Findings • CSRF And Missing Permission Check Allowed Capturing Credentials
© 2019 All Rights Reserved. 22 The Findings • CSRF And Missing Permission Check Allowed Capturing Credentials
© 2019 All Rights Reserved. 23 The Findings • CSRF And Missing Permission Check Lead to Server-Side Request Forgery (SSRF) • “In a SSRF attack the attacker can change a parameter used on the web application to create or control requests from the vulnerable server.” - Netsparker
© 2019 All Rights Reserved. 24 The Findings • CSRF And Missing Permission Check Lead to SSRF
© 2019 All Rights Reserved. 25 The Findings • Cross-Site Scripting (XSS) • Reflected, Stored, DOM • “XSS attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites.” - OWASP
© 2019 All Rights Reserved. 26 The Findings • XSS
© 2019 All Rights Reserved. 27 The Findings • XSS
© 2019 All Rights Reserved. 28 The Fixes • Credentials Stored In Plain Text
© 2019 All Rights Reserved. 29 The Fixes • Credentials Stored In Plain Text • Using a Secret Type Offered By Jenkins • 3rd Party Plugin Called Credentials Plugin
© 2019 All Rights Reserved. 30 The Fixes • Credentials Stored In Plain Text
© 2019 All Rights Reserved. 31 The Fixes • Credentials Stored In Plain Text
© 2019 All Rights Reserved. 32 The Fixes • Credentials Stored In Plain Text
© 2019 All Rights Reserved. 33 The Fixes • CSRF
© 2019 All Rights Reserved. 34 The Fixes • CSRF
© 2019 All Rights Reserved. 35 The Fixes • CSRF
© 2019 All Rights Reserved. 36 The Fixes • CSRF
© 2019 All Rights Reserved. 37 The Fixes • Missing Permission Check
© 2019 All Rights Reserved. 38 The Fixes • XSS
© 2019 All Rights Reserved. 39 The Fixes • XSS
© 2019 All Rights Reserved. 40 Report Vulnerability • Where To Report: • Jenkins: https://jenkins.io/security/ • CloudBees: https://www.cloudbees.com/security-policy • Jenkins JIRA: https://issues.jenkins-ci.org/browse/SECURITY • Include The Following: • Check Previous Issues: https://jenkins.io/security/advisories/ • Core And Plugin Version • Description • Reproduction Steps • Proof Of Concept (Screenshots, Console Outputs etc.) • Deadline (Optional)
© 2019 All Rights Reserved. 41 Related Articles • Storing Secret: • On Disk And Configuration Forms: https://jenkins.io/doc/developer/security/secrets/ • CSRF: • Form Validation And CSRF: https://jenkins.io/doc/developer/security/form-validation/ • XSS: • XSS Prevention: https://jenkins.io/doc/developer/security/xss-prevention/ • Other: • Blog Post: https://www.nccgroup.trust/uk/about-us/newsroom-and- events/blogs/2019/may/story-of-a-hundred-vulnerable-jenkins-plugins/ • Teaser Blog Post: https://jenkins.io/blog/2019/11/29/do-plugins-store-credentials-in-a- secure-way/ • Technical Advisory: https://www.nccgroup.trust/uk/our-research/jenkins-plugins-and-core- technical-summary-advisory/?research=Technical+advisories
© 2019 All Rights Reserved. 42 Questions Feel Free To Ask Personally Email viktor.gazdag@nccgroup.com
Thank You

Recommended

Ntxissacsc5 purple 5-insider threat-_andy_thompson
Ntxissacsc5 purple 5-insider threat-_andy_thompsonNtxissacsc5 purple 5-insider threat-_andy_thompson
Ntxissacsc5 purple 5-insider threat-_andy_thompsonNorth Texas Chapter of the ISSA
 
Building RPZ into the Janet Network resolver service
Building RPZ into the Janet Network resolver serviceBuilding RPZ into the Janet Network resolver service
Building RPZ into the Janet Network resolver serviceJisc
 
Have the Bad Guys Won the Cyber security War...
Have the Bad Guys Won the Cyber security War...Have the Bad Guys Won the Cyber security War...
Have the Bad Guys Won the Cyber security War...Andrew Hammond
 
From Mirai to Monero – One Year’s Worth of Honeypot Data
From Mirai to Monero – One Year’s Worth of Honeypot DataFrom Mirai to Monero – One Year’s Worth of Honeypot Data
From Mirai to Monero – One Year’s Worth of Honeypot DataDefCamp
 
ION Hangzhou - Why Deploy DNSSEC?
ION Hangzhou - Why Deploy DNSSEC?ION Hangzhou - Why Deploy DNSSEC?
ION Hangzhou - Why Deploy DNSSEC?Deploy360 Programme (Internet Society)
 
Rethinking Application Security for cloud-native era
Rethinking Application Security for cloud-native eraRethinking Application Security for cloud-native era
Rethinking Application Security for cloud-native eraPriyanka Aash
 
Protecting Your IP: Data Security for Software Technology
Protecting Your IP: Data Security for Software TechnologyProtecting Your IP: Data Security for Software Technology
Protecting Your IP: Data Security for Software TechnologyShawn Tuma
 
Iurii Garasym - Cloud Security Alliance Now in Ukraine. Mission, Opportunitie...
Iurii Garasym - Cloud Security Alliance Now in Ukraine. Mission, Opportunitie...Iurii Garasym - Cloud Security Alliance Now in Ukraine. Mission, Opportunitie...
Iurii Garasym - Cloud Security Alliance Now in Ukraine. Mission, Opportunitie...Cloud Security Alliance Lviv Chapter
 

Recommended

Ntxissacsc5 purple 5-insider threat-_andy_thompson
Ntxissacsc5 purple 5-insider threat-_andy_thompsonNtxissacsc5 purple 5-insider threat-_andy_thompson
Ntxissacsc5 purple 5-insider threat-_andy_thompsonNorth Texas Chapter of the ISSA
 
Building RPZ into the Janet Network resolver service
Building RPZ into the Janet Network resolver serviceBuilding RPZ into the Janet Network resolver service
Building RPZ into the Janet Network resolver serviceJisc
 
Have the Bad Guys Won the Cyber security War...
Have the Bad Guys Won the Cyber security War...Have the Bad Guys Won the Cyber security War...
Have the Bad Guys Won the Cyber security War...Andrew Hammond
 
From Mirai to Monero – One Year’s Worth of Honeypot Data
From Mirai to Monero – One Year’s Worth of Honeypot DataFrom Mirai to Monero – One Year’s Worth of Honeypot Data
From Mirai to Monero – One Year’s Worth of Honeypot DataDefCamp
 
ION Hangzhou - Why Deploy DNSSEC?
ION Hangzhou - Why Deploy DNSSEC?ION Hangzhou - Why Deploy DNSSEC?
ION Hangzhou - Why Deploy DNSSEC?Deploy360 Programme (Internet Society)
 
Rethinking Application Security for cloud-native era
Rethinking Application Security for cloud-native eraRethinking Application Security for cloud-native era
Rethinking Application Security for cloud-native eraPriyanka Aash
 
Protecting Your IP: Data Security for Software Technology
Protecting Your IP: Data Security for Software TechnologyProtecting Your IP: Data Security for Software Technology
Protecting Your IP: Data Security for Software TechnologyShawn Tuma
 
Iurii Garasym - Cloud Security Alliance Now in Ukraine. Mission, Opportunitie...
Iurii Garasym - Cloud Security Alliance Now in Ukraine. Mission, Opportunitie...Iurii Garasym - Cloud Security Alliance Now in Ukraine. Mission, Opportunitie...
Iurii Garasym - Cloud Security Alliance Now in Ukraine. Mission, Opportunitie...Cloud Security Alliance Lviv Chapter
 
Thinking about Jenkins Security
Thinking about Jenkins SecurityThinking about Jenkins Security
Thinking about Jenkins SecurityMark Waite
 
Webinar–Reviewing Modern JavaScript Applications
Webinar–Reviewing Modern JavaScript ApplicationsWebinar–Reviewing Modern JavaScript Applications
Webinar–Reviewing Modern JavaScript ApplicationsSynopsys Software Integrity Group
 
From Zero to DevOps Superhero: The Container Edition (JenkinsWorld SF)
From Zero to DevOps Superhero: The Container Edition (JenkinsWorld SF)From Zero to DevOps Superhero: The Container Edition (JenkinsWorld SF)
From Zero to DevOps Superhero: The Container Edition (JenkinsWorld SF)Jessica Deen
 
The As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native ApplicationsThe As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native ApplicationsDenim Group
 
Certificate Pinning: Not as Simple as It Sounds
Certificate Pinning: Not as Simple as It Sounds Certificate Pinning: Not as Simple as It Sounds
Certificate Pinning: Not as Simple as It Sounds Synopsys Software Integrity Group
 
Webinar – Security Tool Misconfiguration and Abuse
Webinar – Security Tool Misconfiguration and AbuseWebinar – Security Tool Misconfiguration and Abuse
Webinar – Security Tool Misconfiguration and AbuseSynopsys Software Integrity Group
 
Webinar–Creating a Modern AppSec Toolchain to Quantify Service Risks
Webinar–Creating a Modern AppSec Toolchain to Quantify Service RisksWebinar–Creating a Modern AppSec Toolchain to Quantify Service Risks
Webinar–Creating a Modern AppSec Toolchain to Quantify Service RisksSynopsys Software Integrity Group
 
Webinar–OWASP Top 10 for JavaScript for Developers
Webinar–OWASP Top 10 for JavaScript for DevelopersWebinar–OWASP Top 10 for JavaScript for Developers
Webinar–OWASP Top 10 for JavaScript for DevelopersSynopsys Software Integrity Group
 
Leaving Passwords Behind (Software Design & Development 2019)
Leaving Passwords Behind (Software Design & Development 2019)Leaving Passwords Behind (Software Design & Development 2019)
Leaving Passwords Behind (Software Design & Development 2019)Scott Brady
 
Why defensive research is sexy too.. … and a real sign of skill
Why defensive research is sexy too.. … and a real sign of skillWhy defensive research is sexy too.. … and a real sign of skill
Why defensive research is sexy too.. … and a real sign of skillOllie Whitehouse
 
Dwjw2019 Lisbon - Training-as-code- applying CI & CD to training development
Dwjw2019 Lisbon - Training-as-code- applying CI & CD to training developmentDwjw2019 Lisbon - Training-as-code- applying CI & CD to training development
Dwjw2019 Lisbon - Training-as-code- applying CI & CD to training developmentRomén Rodríguez-Gil
 
Practical White Hat Hacker Training - Passive Information Gathering(OSINT)
Practical White Hat Hacker Training - Passive Information Gathering(OSINT)Practical White Hat Hacker Training - Passive Information Gathering(OSINT)
Practical White Hat Hacker Training - Passive Information Gathering(OSINT)PRISMA CSI
 
Common Security Misconception
Common Security MisconceptionCommon Security Misconception
Common Security MisconceptionMatthew Ong
 
Beyond the Scan: The Value Proposition of Vulnerability Assessment
Beyond the Scan: The Value Proposition of Vulnerability AssessmentBeyond the Scan: The Value Proposition of Vulnerability Assessment
Beyond the Scan: The Value Proposition of Vulnerability AssessmentDamon Small
 
Game Changing Cyber Defensive Strategies for 2019
Game Changing Cyber Defensive Strategies for 2019Game Changing Cyber Defensive Strategies for 2019
Game Changing Cyber Defensive Strategies for 2019Fidelis Cybersecurity
 
Training as Code - Applying CI/CD to training
Training as Code - Applying CI/CD to trainingTraining as Code - Applying CI/CD to training
Training as Code - Applying CI/CD to trainingMark Waite
 
Defcon 23 - damon small - beyond the scan
Defcon 23 - damon small - beyond the scanDefcon 23 - damon small - beyond the scan
Defcon 23 - damon small - beyond the scanFelipe Prado
 
EDB Postgres in Public Sector
EDB Postgres in Public SectorEDB Postgres in Public Sector
EDB Postgres in Public SectorKangaroot
 
Cisco Connect Vancouver 2017 - Embedding IR into the DNA of the business
Cisco Connect Vancouver 2017 - Embedding IR into the DNA of the businessCisco Connect Vancouver 2017 - Embedding IR into the DNA of the business
Cisco Connect Vancouver 2017 - Embedding IR into the DNA of the businessCisco Canada
 
Creating secure apps using the salesforce mobile sdk
Creating secure apps using the salesforce mobile sdkCreating secure apps using the salesforce mobile sdk
Creating secure apps using the salesforce mobile sdkMartin Vigo
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 

More Related Content

Similar to The Story, The Findings And The Fixes Behind More Than A 100 Jenkins Plugins Vulnerabilities

Thinking about Jenkins Security
Thinking about Jenkins SecurityThinking about Jenkins Security
Thinking about Jenkins SecurityMark Waite
 
From Zero to DevOps Superhero: The Container Edition (JenkinsWorld SF)
From Zero to DevOps Superhero: The Container Edition (JenkinsWorld SF)From Zero to DevOps Superhero: The Container Edition (JenkinsWorld SF)
From Zero to DevOps Superhero: The Container Edition (JenkinsWorld SF)Jessica Deen
 
The As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native ApplicationsThe As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native ApplicationsDenim Group
 
Webinar–Creating a Modern AppSec Toolchain to Quantify Service Risks
Webinar–Creating a Modern AppSec Toolchain to Quantify Service RisksWebinar–Creating a Modern AppSec Toolchain to Quantify Service Risks
Webinar–Creating a Modern AppSec Toolchain to Quantify Service RisksSynopsys Software Integrity Group
 
Leaving Passwords Behind (Software Design & Development 2019)
Leaving Passwords Behind (Software Design & Development 2019)Leaving Passwords Behind (Software Design & Development 2019)
Leaving Passwords Behind (Software Design & Development 2019)Scott Brady
 
Why defensive research is sexy too.. … and a real sign of skill
Why defensive research is sexy too.. … and a real sign of skillWhy defensive research is sexy too.. … and a real sign of skill
Why defensive research is sexy too.. … and a real sign of skillOllie Whitehouse
 
Dwjw2019 Lisbon - Training-as-code- applying CI & CD to training development
Dwjw2019 Lisbon - Training-as-code- applying CI & CD to training developmentDwjw2019 Lisbon - Training-as-code- applying CI & CD to training development
Dwjw2019 Lisbon - Training-as-code- applying CI & CD to training developmentRomén Rodríguez-Gil
 
Practical White Hat Hacker Training - Passive Information Gathering(OSINT)
Practical White Hat Hacker Training - Passive Information Gathering(OSINT)Practical White Hat Hacker Training - Passive Information Gathering(OSINT)
Practical White Hat Hacker Training - Passive Information Gathering(OSINT)PRISMA CSI
 
Common Security Misconception
Common Security MisconceptionCommon Security Misconception
Common Security MisconceptionMatthew Ong
 
Beyond the Scan: The Value Proposition of Vulnerability Assessment
Beyond the Scan: The Value Proposition of Vulnerability AssessmentBeyond the Scan: The Value Proposition of Vulnerability Assessment
Beyond the Scan: The Value Proposition of Vulnerability AssessmentDamon Small
 
Game Changing Cyber Defensive Strategies for 2019
Game Changing Cyber Defensive Strategies for 2019Game Changing Cyber Defensive Strategies for 2019
Game Changing Cyber Defensive Strategies for 2019Fidelis Cybersecurity
 
Training as Code - Applying CI/CD to training
Training as Code - Applying CI/CD to trainingTraining as Code - Applying CI/CD to training
Training as Code - Applying CI/CD to trainingMark Waite
 
Defcon 23 - damon small - beyond the scan
Defcon 23 - damon small - beyond the scanDefcon 23 - damon small - beyond the scan
Defcon 23 - damon small - beyond the scanFelipe Prado
 
EDB Postgres in Public Sector
EDB Postgres in Public SectorEDB Postgres in Public Sector
EDB Postgres in Public SectorKangaroot
 
Cisco Connect Vancouver 2017 - Embedding IR into the DNA of the business
Cisco Connect Vancouver 2017 - Embedding IR into the DNA of the businessCisco Connect Vancouver 2017 - Embedding IR into the DNA of the business
Cisco Connect Vancouver 2017 - Embedding IR into the DNA of the businessCisco Canada
 
Creating secure apps using the salesforce mobile sdk
Creating secure apps using the salesforce mobile sdkCreating secure apps using the salesforce mobile sdk
Creating secure apps using the salesforce mobile sdkMartin Vigo
 

Similar to The Story, The Findings And The Fixes Behind More Than A 100 Jenkins Plugins Vulnerabilities (20)

Thinking about Jenkins Security
Thinking about Jenkins SecurityThinking about Jenkins Security
Thinking about Jenkins Security
 
Webinar–Reviewing Modern JavaScript Applications
Webinar–Reviewing Modern JavaScript ApplicationsWebinar–Reviewing Modern JavaScript Applications
Webinar–Reviewing Modern JavaScript Applications
 
From Zero to DevOps Superhero: The Container Edition (JenkinsWorld SF)
From Zero to DevOps Superhero: The Container Edition (JenkinsWorld SF)From Zero to DevOps Superhero: The Container Edition (JenkinsWorld SF)
From Zero to DevOps Superhero: The Container Edition (JenkinsWorld SF)
 
The As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native ApplicationsThe As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native Applications
 
Certificate Pinning: Not as Simple as It Sounds
Certificate Pinning: Not as Simple as It Sounds Certificate Pinning: Not as Simple as It Sounds
Certificate Pinning: Not as Simple as It Sounds
 
Webinar – Security Tool Misconfiguration and Abuse
Webinar – Security Tool Misconfiguration and AbuseWebinar – Security Tool Misconfiguration and Abuse
Webinar – Security Tool Misconfiguration and Abuse
 
Webinar–Creating a Modern AppSec Toolchain to Quantify Service Risks
Webinar–Creating a Modern AppSec Toolchain to Quantify Service RisksWebinar–Creating a Modern AppSec Toolchain to Quantify Service Risks
Webinar–Creating a Modern AppSec Toolchain to Quantify Service Risks
 
Webinar–OWASP Top 10 for JavaScript for Developers
Webinar–OWASP Top 10 for JavaScript for DevelopersWebinar–OWASP Top 10 for JavaScript for Developers
Webinar–OWASP Top 10 for JavaScript for Developers
 
Leaving Passwords Behind (Software Design & Development 2019)
Leaving Passwords Behind (Software Design & Development 2019)Leaving Passwords Behind (Software Design & Development 2019)
Leaving Passwords Behind (Software Design & Development 2019)
 
Why defensive research is sexy too.. … and a real sign of skill
Why defensive research is sexy too.. … and a real sign of skillWhy defensive research is sexy too.. … and a real sign of skill
Why defensive research is sexy too.. … and a real sign of skill
 
Dwjw2019 Lisbon - Training-as-code- applying CI & CD to training development
Dwjw2019 Lisbon - Training-as-code- applying CI & CD to training developmentDwjw2019 Lisbon - Training-as-code- applying CI & CD to training development
Dwjw2019 Lisbon - Training-as-code- applying CI & CD to training development
 
Practical White Hat Hacker Training - Passive Information Gathering(OSINT)
Practical White Hat Hacker Training - Passive Information Gathering(OSINT)Practical White Hat Hacker Training - Passive Information Gathering(OSINT)
Practical White Hat Hacker Training - Passive Information Gathering(OSINT)
 
Common Security Misconception
Common Security MisconceptionCommon Security Misconception
Common Security Misconception
 
Beyond the Scan: The Value Proposition of Vulnerability Assessment
Beyond the Scan: The Value Proposition of Vulnerability AssessmentBeyond the Scan: The Value Proposition of Vulnerability Assessment
Beyond the Scan: The Value Proposition of Vulnerability Assessment
 
Game Changing Cyber Defensive Strategies for 2019
Game Changing Cyber Defensive Strategies for 2019Game Changing Cyber Defensive Strategies for 2019
Game Changing Cyber Defensive Strategies for 2019
 
Training as Code - Applying CI/CD to training
Training as Code - Applying CI/CD to trainingTraining as Code - Applying CI/CD to training
Training as Code - Applying CI/CD to training
 
Defcon 23 - damon small - beyond the scan
Defcon 23 - damon small - beyond the scanDefcon 23 - damon small - beyond the scan
Defcon 23 - damon small - beyond the scan
 
EDB Postgres in Public Sector
EDB Postgres in Public SectorEDB Postgres in Public Sector
EDB Postgres in Public Sector
 
Cisco Connect Vancouver 2017 - Embedding IR into the DNA of the business
Cisco Connect Vancouver 2017 - Embedding IR into the DNA of the businessCisco Connect Vancouver 2017 - Embedding IR into the DNA of the business
Cisco Connect Vancouver 2017 - Embedding IR into the DNA of the business
 
Creating secure apps using the salesforce mobile sdk
Creating secure apps using the salesforce mobile sdkCreating secure apps using the salesforce mobile sdk
Creating secure apps using the salesforce mobile sdk
 

Recently uploaded

Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Bluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdfBluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdfngoud9212
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsHyundai Motor Group
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Wonjun Hwang
 
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxnull - The Open Security Community
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentationphoebematthew05
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraDeakin University
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 

Recently uploaded (20)

Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
Bluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdfBluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdf
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
 
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptxVulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
 
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentation
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning era
 
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort ServiceHot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 

The Story, The Findings And The Fixes Behind More Than A 100 Jenkins Plugins Vulnerabilities

  • 1. The Story, The Findings And The Fixes Behind More Than A 100 Jenkins Plugins Vulnerabilities Viktor Gazdag
  • 2. © 2019 All Rights Reserved. 2 Timeline • Who Am I • Goal Of The Talk • Statistics • The Story • The Findings • The Fixes • Report Vulnerability • Related Articles • Q&A
  • 3. © 2019 All Rights Reserved. 3 Who Am I • Security Consultant at NCC Group • IT Helpdesk, System Administrator, System Engineer • Ethical Hacking Specialist, Security Consultant • 2019 Jenkins Security MVP • CRT, OSCP, eWPT, eWPTX, eMAPT • MCSE 2012, NS0-155 • Travel, Video Games, Security Research
  • 4. © 2019 All Rights Reserved. 4 Thank You • Jenkins / CloudBees - Daniel Beck • NCC Group - Matt Lewis, Mario Iregui, Bernardo Damele, Jennifer Fernick, Simon Harraghy, Balazs Bucsay • Irene Michlin, Soroush Dalili
  • 5. © 2019 All Rights Reserved. 5 Goal Of The Talk • Why – Give Back To The Community, Raise Awareness • How – Show The Problems And Fixes • What – Presentation, Blog, Advisories, White Paper*, Tool*
  • 6. © 2019 All Rights Reserved. 6 Core and Plugin Vulnerabilities By Years • Core And Plugins • SECURITY-* And CVE-* 0 50 100 150 200 250 300 350 2010 2011 2012 2013 2014 2015 2016 2017 2018 2019 Vulnerabilities and Advisories By Year Vulnerability Advisory
  • 7. © 2019 All Rights Reserved. 7 The Story • Started With A Project • Continued With A Jenkins Advisory • Triggered By A Second Advisory
  • 8. © 2019 All Rights Reserved. 8 The Findings • Credentials Stored In Plain Text, CSRF, SSRF, XSS, TLS Certificate Validation Disabled, Missing Permission Check • 15 Advisories, 128 Jenkins Plugin Vulnerabilities and 1 Core Vulnerability, 118 CVEs, 1 CVE Pending, 10 Issues Without CVEs
  • 9. © 2019 All Rights Reserved. 9 Distribution Of The Vulnerability Types Submitted And Released Findings (2017.11 – 2019.10) 0 10 20 30 40 50 60 70 80 Credentials stored plain text CSRF Missing permission check SSRF with permission check CSRF with permission check TLS certificate validation disabled XSS Core and Plugin Vulnerabilities
  • 10. © 2019 All Rights Reserved. 10 Findings - Tools • Black Box Test • Burp Suite Pro • Linux • netcat, cat, less, ls, openssl, python, vi • Simple Python program with Self- Signed SSL Certificate • Browser • Looked For Specific Issues
  • 11. © 2019 All Rights Reserved. 11 The Findings • Credentials Stored In Plain Text
  • 12. © 2019 All Rights Reserved. 12 The Findings • Credentials Stored In Plain Text • Web Form
  • 13. © 2019 All Rights Reserved. 13 The Findings • Credentials Stored In Plain Text
  • 14. © 2019 All Rights Reserved. 14 The Findings • Credentials Stored In Plain Text • Multiple Path • /var/lib/Jenkins/*.xml
  • 15. © 2019 All Rights Reserved. 15 The Findings • Credentials Stored In Plain Text
  • 16. © 2019 All Rights Reserved. 16 The Findings • Credentials Stored In Plain Text • Multiple Path • /var/lib/Jenkins/job/TestJob/con fig.xml
  • 17. © 2019 All Rights Reserved. 17 The Findings • Missing Permission Check
  • 18. © 2019 All Rights Reserved. 18 The Findings • Cross-Site Request Forgery (CSRF) And Missing Permission Check Allowed Capturing Credentials • “CSRF is an attack that forces an end user to execute unwanted actions on a web application in which they're currently authenticated.” - OWASP
  • 19. © 2019 All Rights Reserved. 19 The Findings • CSRF And Missing Permission Check Allowed Capturing Credentials
  • 20. © 2019 All Rights Reserved. 20 The Findings • CSRF And Missing Permission Check Allowed Capturing Credentials
  • 21. © 2019 All Rights Reserved. 21 The Findings • CSRF And Missing Permission Check Allowed Capturing Credentials
  • 22. © 2019 All Rights Reserved. 22 The Findings • CSRF And Missing Permission Check Allowed Capturing Credentials
  • 23. © 2019 All Rights Reserved. 23 The Findings • CSRF And Missing Permission Check Lead to Server-Side Request Forgery (SSRF) • “In a SSRF attack the attacker can change a parameter used on the web application to create or control requests from the vulnerable server.” - Netsparker
  • 24. © 2019 All Rights Reserved. 24 The Findings • CSRF And Missing Permission Check Lead to SSRF
  • 25. © 2019 All Rights Reserved. 25 The Findings • Cross-Site Scripting (XSS) • Reflected, Stored, DOM • “XSS attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites.” - OWASP
  • 26. © 2019 All Rights Reserved. 26 The Findings • XSS
  • 27. © 2019 All Rights Reserved. 27 The Findings • XSS
  • 28. © 2019 All Rights Reserved. 28 The Fixes • Credentials Stored In Plain Text
  • 29. © 2019 All Rights Reserved. 29 The Fixes • Credentials Stored In Plain Text • Using a Secret Type Offered By Jenkins • 3rd Party Plugin Called Credentials Plugin
  • 30. © 2019 All Rights Reserved. 30 The Fixes • Credentials Stored In Plain Text
  • 31. © 2019 All Rights Reserved. 31 The Fixes • Credentials Stored In Plain Text
  • 32. © 2019 All Rights Reserved. 32 The Fixes • Credentials Stored In Plain Text
  • 33. © 2019 All Rights Reserved. 33 The Fixes • CSRF
  • 34. © 2019 All Rights Reserved. 34 The Fixes • CSRF
  • 35. © 2019 All Rights Reserved. 35 The Fixes • CSRF
  • 36. © 2019 All Rights Reserved. 36 The Fixes • CSRF
  • 37. © 2019 All Rights Reserved. 37 The Fixes • Missing Permission Check
  • 38. © 2019 All Rights Reserved. 38 The Fixes • XSS
  • 39. © 2019 All Rights Reserved. 39 The Fixes • XSS
  • 40. © 2019 All Rights Reserved. 40 Report Vulnerability • Where To Report: • Jenkins: https://jenkins.io/security/ • CloudBees: https://www.cloudbees.com/security-policy • Jenkins JIRA: https://issues.jenkins-ci.org/browse/SECURITY • Include The Following: • Check Previous Issues: https://jenkins.io/security/advisories/ • Core And Plugin Version • Description • Reproduction Steps • Proof Of Concept (Screenshots, Console Outputs etc.) • Deadline (Optional)
  • 41. © 2019 All Rights Reserved. 41 Related Articles • Storing Secret: • On Disk And Configuration Forms: https://jenkins.io/doc/developer/security/secrets/ • CSRF: • Form Validation And CSRF: https://jenkins.io/doc/developer/security/form-validation/ • XSS: • XSS Prevention: https://jenkins.io/doc/developer/security/xss-prevention/ • Other: • Blog Post: https://www.nccgroup.trust/uk/about-us/newsroom-and- events/blogs/2019/may/story-of-a-hundred-vulnerable-jenkins-plugins/ • Teaser Blog Post: https://jenkins.io/blog/2019/11/29/do-plugins-store-credentials-in-a- secure-way/ • Technical Advisory: https://www.nccgroup.trust/uk/our-research/jenkins-plugins-and-core- technical-summary-advisory/?research=Technical+advisories
  • 42. © 2019 All Rights Reserved. 42 Questions Feel Free To Ask Personally Email viktor.gazdag@nccgroup.com