Enterprise networks are at risk from vulnerabilities in a hundred Jenkins plug-ins

Viktor Gazdag, security consultant at the NCC Group, has found and reported vulnerabilities in over 100 different Jenkins plug-ins over the past 18 months. Gazdag has informed developers, but many plugins haven’t gotten a fix yet.

The Jenkins team has published ten security advisories on vulnerabilities, reports ZDNet. It also warned developers to uninstall vulnerable extensions.

Jenkins is a widely used web-based application used by developer teams. Created in Java, Jenkins operates as a continuous integration/deployment system that allows teams to run automated tests and perform various operations based on test results.

Because of the useful test and automation functions, Jenkins is very popular, especially in the enterprise sector. There are a total of 79,000 instances, says Shodan, a search engine for discovering systems connected to the Internet. It is possible to expand the standard functions of Jenkins via plugins. The vast majority of these plugins are made by third party developers.

Vulnerabilities

However, some of those plugins are no longer supported by the developers who made them, or by someone else. Gazdag is now warning Jenkins system owners that some of these abandoned plugins could be a danger to business systems due to unsolved security flaws. Some of them are very dangerous.

The researcher states that the most common error he has found is that many Jenkins plugins store passwords as cleartext in their configuration files. Developers do not use the standard credentials.xml file, which automatically encrypts all the data it contains.

In addition, Gazdag found CSRF (Cross-Site Request Forgery) errors, which allow cyber criminals to use the connection test functions of a plugin to send credentials to an attacker’s server. SSRF (Server-Side Request Forgery_ errors) were also found, which can be used to map a company’s internal networks and to retrieve log-in data using gross force.