Get to Know What to Look After When Pentesting Jenkins CI/CD Pipelines

If you're looking to get into the world of Jenkins and CI/CD pipelines, this blog post is for you. I'll cover what Jenkins is, the benefits of using it, what are the most important CVEs affecting it, and a couple of resources worth looking into. Then you can use all this knowledge to your advantage and secure your pipeline. Let's get started!

Dragos Stanescu - May, 2022
  • Tutorials
  • Jenkins CI/CD
Get to know how to pentest Jenkins CI/CD Pipelines
WHAT IS JENKINS

Jenkins is a free and open-source automation server. It helps to automate the non-human part of the software development process, with continuous integration and facilitating technical aspects of continuous delivery. It is a server-based system that runs in servlet containers such as Apache Tomcat. It supports version control tools, including AccuRev, CVS, Subversion, Git, Mercurial, Perforce, ClearCase and RTC, and can execute Apache Ant, Apache Maven, and shell scripts. Jenkins can also be used to monitor executions of externally run jobs such as cron jobs and procmail jobs, even those that are not technically part of a build process. Also, Jenkins CI/CD is used in software development to implement continuous integration (CI) and continuous delivery (CD). These are processes whereby code changes are automatically built, tested, and deployed to production servers on every commit.

WHAT ARE THE BENEFITS OF USING TECHNOLOGY LIKE JENKINS

The benefits of this approach include reduced release cycle times, faster feedback on code changes and more reliable releases. Jenkins CI/CD is used to automatically build, test, and deploy software changes on every commit. This helps to reduce release cycle times, provide faster feedback on code changes, and create more reliable releases.

HOW CAN A JENKING PIPELINE CAN BE HACKED / PENTESTED

Like WordPress CMS, Jenkins is hackable in the sense that it can be extended and customized using plugins. While the core of Jenkins is secure, the same cannot be said for the various plugins that are available for it. In fact, the security of Jenkins has been called into question on several occasions due to vulnerabilities in popular plugins affected by bug classess like:

1. User Enumeration

2. Dynamic Routing RBAC Bypass

3. Arbitrary File Read

4. RCE (Remote Code Execution)

5. CSRF and Missing Permissions in GitHub Plugin

6. Sensitive Info Exposure (pre-auth users could access agent logs)

7. Account Takeover

Another problem is that some users don't configure their Jenkins instances properly, which can also lead to security issues via various security misconfigurations. In general, it's important to be aware of the potential security risks when using Jenkins and to take steps to mitigate these risks. One way to do this is to only use trusted plugins from reputable sources. A second way is to harden the Jenkins instance, by changing its dangerous default settings. The third way is to keep your pipeline software package up to date with the latest security fixes. By taking all these simple precautions you already have addressed many issues that could lead to a pipeline compromise.

In addition, the developers of Jenkins have been quick to address newly reported issues. As can be seen from the graph below, the number of reported security vulnerabilities in Jenkins has been steadily declining over the last five years. This is likely due to increased awareness among plugin developers and users alike. Nevertheless, it is important to remember that any system is only as secure as its weakest link.

Jenkins CI/CD Pipeline Vulnerabilities Trend
2018 - 2022 Jenkins CI/CD Pipeline Vulnerabilities Trend


The following list of critical CVE is a starting point for those looking to compromise Jenkins instances. This does not represent all possible attack vectors and exploits, but rather what we think might be useful in an exercise like this one - where you're trying (and perhaps failing) at compromising your target system.

List of CVEs affecting Jenkins
List of CVEs affecting Jenkins


WHY WOULD YOU WANT TO HACK A CI/CD PIPELINE

If you're a pentester, there's a good chance you've considered hacking the Jenkins pipeline. After all, what could be more gratifying than successfully compromising a continuous delivery system? However, there are several reasons why Jenkins is an attractive target for attackers. First, it is often used to manage sensitive information such as user credentials and private keys. Second, successful exploitation of a Jenkins server can lead to a wide range of consequences, including data theft.

HOW CAN YOU USE HACKING JENKINS EXERCISE RESULTS INTO YOUR ORGANIZATION ADVANTAGE

A Jenkins CI/CD pipeline hacking exercise can provide an enormously powerful knowledge base to any internal engineering team. Any security controls bypass would help you understand how attackers think and operate. This knowledge can be used to improve your security posture and make it more difficult for real attackers to succeed.

Additionally, by testing your current controls against as many attack methods type possible, allows you to identify weaknesses and correct them before they are exploited. Finally, conducting regular pentesting exercises can help to foster a culture of security within your organization. This culture will not only help to improve your security posture, but it will also help to encourage employees of all sorts to report potential security concerns.

CONCLUSION

There's not much different between pentesting a Jenkins CI/CD instance and performing security testing on any other application or infrastructure. The pattern follows the same well-known playbook, with testing for default dangerous settings alongside user input validation in the running plugins that could lead to RCE (Remote Code Execution), SSRF (Server-Side Request Forgery), or similar other high-impact bug classes.

With Security Skills as a Service model, organizations will be able to tap into an elite group of professionals who have been specially trained in penetration testing. These individuals are known for their skill at finding security vulnerabilities which could potentially cost organizations huge amounts when it comes down hacking attacks from hackers looking only discover and monetize potential weaknesses within your system or network.

ACKNOWLEDGEMENTS | REFERENCES | RESOURCES


- https://www.jenkins.io/security/advisory/2022-01-12/
- https://book.hacktricks.xyz/pentesting/pentesting-web/jenkins
- https://github.com/gquere/pwn_jenkins
- https://github.com/gquere/pwn_jenkins/blob/master/dump_builds/jenkins_dump_builds.py
- https://hackmd.io/@iB4URG5XTIWmQSD6XqlQ2g/HkHYGoR6N?type=view
- https://securitytutorials.co.uk/confessions-of-a-pentester-part-1-jenkins/
- https://github.com/gquere/pwn_jenkins
- https://blog.carnal0wnage.com/2019/02/jenkins-messing-with-new-exploits-pt1.html
- https://www.n00py.io/2017/01/compromising-jenkins-and-extracting-credentials/
- https://blog.orange.tw/2019/01/hacking-jenkins-part-1-play-with-dynamic-routing.html
- http://blog.orange.tw/2019/02/abusing-meta-programming-for-unauthenticated-rce.html
- https://github.com/Accenture/jenkins-attack-framework


LEGAL STATEMENT

The information in this blog post is provided for research and educational purposes only. Whilst every effort has been made to ensure that the information contained in this document is true and correct at the time of publication, Security Hubs, Inc. accepts no liability in any form whatsoever for any direct or indirect damages arising or resulting from the use of or reliance on the information contained herein.

Ready or just curious?

Drop us a line and we will get back to you shortly.