CVE-2022-45384 - Critical Vulnerability in Jenkins Reverse Proxy Auth Plugin 1.7.3 and Earlier: Unencrypted LDAP Manager Password
Are you using Jenkins Reverse Proxy Auth Plugin version 1.7.3 or earlier? If so, your system's security might be at risk due to a recently-discovered critical vulnerability. In this blog post, we will explain the details of the vulnerability (CVE-2022-45384), show you a code snippet illustrating the issue, provide links to original references, and discuss the exploit details. Our aim is to help you understand and address this risk to prevent potential harm to your system.
What Is the Vulnerability?
The Jenkins Reverse Proxy Auth Plugin versions 1.7.3 and earlier contain a vulnerability that exposes the Lightweight Directory Access Protocol (LDAP) manager password in plain text. It stores this password unencrypted in the global config.xml file on the Jenkins controller. This vulnerability (CVE-2022-45384) is significant because attackers with access to the Jenkins controller file system can easily view and use this sensitive information.
Code Snippet
The problem comes from the way the LDAP manager password is stored in the global config.xml file. Here is an example of an insecure LDAP configuration in the global config.xml file:
<jenkins.model.GlobalConfiguration>
<ldapSettings>
<managerDN>cn=admin,dc=example,dc=com</managerDN>
<managerPassword>MyPlainTextPassword</managerPassword>
</ldapSettings>
</jenkins.model.GlobalConfiguration>
As you can see, the managerPassword field contains the plaintext LDAP password ("MyPlainTextPassword"), which is easily accessible to anyone with permissions to read the global config.xml file. It should be noted that the way Jenkins stores credentials in the global configuration file is not exactly uncommon. Many Jenkins plugins have similar issues, and these are typically addressed once they become known.
Original References
The vulnerability was reported to the Jenkins project through its vulnerability report process. The detailed description of CVE-2022-45384 can be found in the following Jenkins advisory:
- Jenkins Security Advisory 2022-01-18
Exploit Details
In order to exploit the vulnerability, an attacker would need to gain access to the Jenkins controller file system. This can potentially happen in several ways:
1. The attacker obtains valid user credentials and logs into the Jenkins web interface, leveraging their access to obtain the config.xml file directly or through another plugin.
2. The attacker gains direct access to the file system through a security flaw in Jenkins or the underlying operating system.
3. The attacker takes advantage of a misconfiguration or weakness in systems related to the Jenkins controller.
Once the attacker has access to the file system and can read the unencrypted contents of the global config.xml file, they can potentially leverage the unencrypted LDAP password to access the LDAP server and potentially gain further access, escalate privileges, or read LDAP data.
How to Mitigate
The best way to mitigate this issue is to update the Jenkins Reverse Proxy Auth Plugin to a version later than 1.7.3. The new version should no longer have the vulnerability, ensuring that the LDAP manager password is stored securely in the global config.xml file.
Conclusion
CVE-2022-45384 is a significant vulnerability in Jenkins Reverse Proxy Auth Plugin 1.7.3 and earlier that could potentially allow attackers to obtain sensitive LDAP authentication information. Organizations using these plugin versions should upgrade and take appropriate security measures to protect their systems and prevent unauthorized access.
Timeline
Published on: 11/15/2022 20:15:00 UTC
Last modified on: 11/18/2022 17:04:00 UTC