CSRF, or cross-site request forgery, is a type of malicious attack in which an imposter site persuades a victim’s Web browser or computer to perform a task on behalf of the imposter site. In this case, an attacker can trick an unsuspecting user into submitting a request to delete a build log to the targeted Jenkins instance. This can be especially dangerous to teams that use Jenkins to deploy applications to production servers, as an attacker could potentially delete critical application data without any indication that this has happened. In order to exploit this vulnerability, an attacker must be able to craft a malicious message that can convince the victim’s Web browser to submit a request to delete a build log. An attacker may send an email to the Jenkins administrator that contains a link to a malicious website and instructs the victim to visit the link and delete a build log.

Mitigation and Detection Strategies

The recommended mitigation strategy is to require users to enter a password before they can delete logs. Using passwords not only protects against CSRF, but also ensures the Jenkins administrator’s identity. Additionally, the use of a single-use password that expires after a certain amount of time mitigates CSRF attacks when an attacker is unable to convince the victim’s browser to submit an HTTP request.
In addition to enabling passwords for deleting build logs, administrators should ensure that builds are set up in such a way that they are automatically logged by default. This also provides protection against other types of malicious activity, as builds will be automatically logged and therefore easier to detect anything suspicious happening with them.

The Problem with CSRF


Cross-site request forgery is a type of malicious attack that an attacker can use to delete a build log. The vulnerability is especially dangerous because it can be exploited without any clear indication from the victim. One way to prevent this attack would be to implement a web application firewall solution that provides protection against CSRF attacks. It’s important for teams using Jenkins to deploy applications to production servers to take precautions against this vulnerability.

How Does CSRF Work?

An attacker must be able to craft a malicious message that can convince the victim’s Web browser to submit a request to delete a build log. Some of the most common methods for crafting such messages include using HTML and JavaScript to embed data into these messages, or sending emails with links to malicious websites where the user will inadvertently cause the deletion of their Jenkins build log.

Overview

The vulnerability lies in the way Jenkins handles its build logs. If a user visits the malicious site, it can trick the victim’s browser into submitting a request to delete a build log to Jenkins.
If an attacker sends a message with a link to the malicious website and instructs the victim to visit it and delete their build log, this will allow the attacker to delete any build logs stored on Jenkins without any indication that this has happened.

Vulnerable Configuration

The Jenkins configuration that can be exploited by this vulnerability is an instance of the Jenkins master configured to use a customized HTTP user-agent. The default Jenkins configuration sets the user-agent to a blank string. This means that when a victim visits a malicious website, their browser will send the request from their own computer with their own credentials, which would allow the attacker to delete any build logs of targeted Jenkins instance.  In addition, if an attacker can convince the victim’s browser to submit a request for deleting one of these logs, this is vulnerable as well.
When Jenkins uses HTTP authentication and uses its own custom user-agent, it is possible for attackers to trick targets into deleting build logs on behalf of the attacker's server. In order to exploit this vulnerability, an attacker would have to craft malicious content and send it in an email or link that convinces a victim's Web browser to execute arbitrary commands on behalf of the attacker's server.

Timeline

Published on: 11/15/2022 20:15:00 UTC
Last modified on: 11/18/2022 04:53:00 UTC

References