On the 20th February 2019, Alert Logic research teams began tracking vulnerabilities affecting users of Jenkins which could allow an attacker to run malicious software remotely. That same day new detection content was deployed to monitor for abuse and over the following hours teams in research and security operations began managing exploit attempts in the wild and raising incidents to customers.
Many vulnerabilities never see the light of day to become exploitable by malicious actors, in this case it took around a month for anyone to produce successful proof-of-concept code and from there less than a few days to be seen in the wild. As these situations develop Alert Logic teams monitor for changes like this in the threat landscape so we can react appropriately and efficiently.
The vulnerability allows for remote attackers to inject code via “Meta-Programming” compilation, a feature designed to allow evaluation of code snippets, into one of three plugins
- Groovy, or
- Script Security
Using this behavior, attackers can cause victim hosts to fetch payloads and execute them. Following are major key steps for Attacks,
- On a remote host compile exploit class and create jar file and create a directory structure in web root.
- Send a web request to a Jenkins target with a pipeline script payload to grab a snippet which is on your host for attacking machine.
- Compromise causes a connection from Jenkins to your host and grabs the jar file – from the jar file it imports your class
- Bash commands in class are then executed by Jenkins.
Patching is the primary mitigation for this threat. It is also recommended to remove Jenkins from public internet access. The following versions are listed as vulnerable in this advisory:
- Pipeline: Declarative Plugin up to and including 1.3.4
- Pipeline: Groovy Plugin up to and including 2.61
- Script Security Plugin up to and including 1.49
By utilizing known classes/methods within an available abstraction library such as Grape, malicious code objects can be remotely fetched and imported within a compile-time primitive, leveraged within the Request URI.