If you're looking to get into the world of Jenkins and CI/CD pipelines, this blog post is for you. I'll cover what Jenkins is, the benefits of using it, what are the most important CVEs affecting it, and a couple of resources worth looking into. Then you can use all this knowledge to your advantage and secure your pipeline. Let's get started!
Dragos Stanescu - May, 2022
What is a Jenkins CI/CD pipeline?
Jenkins is a free and open source devops automation server. It helps to automate the non-human part of the software development lifecycle process, with continuous integration & deployment and facilitates technical aspects of continuous delivery. It is a server-based system that runs in servlet containers such as Apache Tomcat. It supports version control tools, including AccuRev, CVS, Subversion, Git, Mercurial, Perforce, ClearCase and RTC, and can execute Apache Ant, Apache Maven, and shell scripts. Jenkins can also be used to monitor executions of externally run jobs such as cron jobs and procmail jobs, even those that are not technically part of a build process. Also, Jenkins CI/CD is used in software development to implement continuous integration (CI) and continuous delivery (CD). These are processes whereby code changes are automatically built, tested, and deployed to production servers on every commit.
What are the benefits of using technology like a Jenkins CI/CD pipeline?
Faster development process
Faster feedback about the quality of code
Reduced risk of human error when manually running tests or deploying code
Easier collaboration between team members
The ability to automate running tests and deploy code whenever new code is pushed to your code repository
How can a Jenkins CI/CD Pipeline be pentested?
Like the WordPress CMS, Jenkins automate concept is hackable in the sense that its main functionality can be extended and customized via a generous plug marketplace. Although Jenkins' core security was greatly improved over the years, the same cannot be said for the various plugins that are available for it. In fact, the security of Jenkins has been called into question on several occasions due to vulnerabilities in popular plugins affected by bug classes like:
Dynamic Routing RBAC Bypass
Arbitrary File Read
RCE (Remote Code Execution)
CSRF and Missing Permissions in GitHub Plugin
Sensitive Info Exposure (pre-auth users could access agent logs)
Another problem is that some users don't configure their Jenkins instances properly, which can also lead to security issues via various security misconfigurations. In general, it's important to be aware of the potential security risks when using Jenkins and to take steps to mitigate these risks. One way to do this is to only use trusted plugins from reputable sources. A second way is to harden the Jenkins instance, by changing its dangerous default settings. The third way is to keep your pipeline software package up to date with the latest security fixes. By taking all these simple precautions you already have addressed many issues that could lead to a pipeline compromise.
In addition, the developers of Jenkins have been quick to address newly reported issues. As can be seen from the graph below, the number of reported security vulnerabilities in Jenkins has been steadily declining over the last five years. This is likely due to increased awareness among plugin developers and users alike. Nevertheless, it is important to remember that any system is only as secure as its weakest link.
The following list of critical CVE is a starting point for those looking to compromise Jenkins instances. This does not represent all possible attack vectors and exploits, but rather what we think might be useful in an exercise like this one - where you're trying (and perhaps failing) at compromising your target system.
What are the benefits of security in a CI Pipeline?
There are many benefits to using a CI/CD pipeline for security purposes. By automating the testing and deployment of code changes, you can significantly reduce the chances of introducing security vulnerabilities into your codebase. Additionally, by automating the process of checking for and applying security patches, you can ensure that your systems are always up to date with the latest security fixes. Finally, by using a CI/CD pipeline to deploy your code changes, you can control exactly when and how those changes are made, which can help to prevent unauthorized access to your systems.
On top of this, linting can help identify errors such as syntax errors, formatting issues, and other potential problems that could break the code build. Furthermore, it is advisable to integrate a DAST (Dynamic Application Security Testing) feature like ZAP, a barebone open-source security scanner that will help identifying low hanging security issues or deviations from the SANS Top 25 or CREST checklists.
Why would you want to hack a CI/CD Pipeline?
If you're a pentester, there's a good chance you've considered hacking the Jenkins pipeline. After all, what could be more gratifying than successfully compromising a continuous delivery system? However, there are several reasons why Jenkins is an attractive target for attackers. First, it is often used to manage sensitive information such as user credentials and private keys. Second, successful exploitation of a Jenkins server can lead to a wide range of consequences, including data theft.
Leverage results from a Jenkins CI pipeline hacking exercise for your advantage
A Jenkins CI/CD pipeline hacking exercise can provide an enormously powerful knowledge base to any internal engineering team. Any security controls bypass would help you understand how attackers think and operate. This knowledge can be used to improve your security posture and make it more difficult for real attackers to succeed.
Additionally, by testing your current controls against as many attack methods type possible, allows you to identify weaknesses and correct them before they are exploited. Finally, conducting regular pentesting exercises can help to foster a culture of security within your organization. This culture will not only help to improve your security posture, but it will also help to encourage employees of all sorts to report potential security concerns.
There's not much different between executing security testing of a Jenkins CI/CD instance and performing pen test of any other application or infrastructure. The pattern follows the same well-known playbook, with testing for default dangerous settings alongside user input validation in the running plugins that could lead to RCE (Remote Code Execution), SSRF (Server-Side Request Forgery), Information Disclosure through Dumping Credentials via the Groovy console, or similar other high-impact bug classes.
With the SYN CUBES' Security Skills as a Service model, organizations will be able to access an elite group of professionals with unparalleled experience in manual penetration testing, in addition to your default DAST tool's automated security checks. Sun Cubes' team is well known for his ability to find security flaws, which could cost organizations a lot of money in hacking attacks from malicious actors.
The information in this blog post is provided for research and educational purposes only. Whilst every effort has been made to ensure that the information contained in this document is true and correct at the time of publication, Syn Cubes, Inc. accepts no liability in any form whatsoever for any direct or indirect damages arising or resulting from the use of or reliance on the information contained herein.
Say goodbye to pentesting fluff and hello to real results.