CVE-2023-40345 – Jenkins Delphix Plugin 3..2 and Earlier Could Allow Unauthorized Capture of Credentials

Hey there, folks! Today, let's shed some light on a recently discovered vulnerability present in Jenkins Delphix Plugin 3..2 and earlier. This issue is well-documented as CVE-2023-40345, and could potentially allow attackers with Overall/Read permission to access and capture credentials that they shouldn't have permission to. In this post, we'll be discussing the exploit details, along with some code snippets and links to other valuable resources.

Vulnerability Details

The problem lies in the Delphix Plugin for Jenkins, which is used to automate virtual database management tasks. Specifically, versions 3..2 and earlier do not set the appropriate context for credentials lookup. As a result, attackers with Overall/Read permission might be able to access and capture sensitive credentials they should not have access to.

Please note that the impact of this vulnerability reaches only those Jenkins instances where the Delphix Plugin has been installed and enabled.

Exploit Details

To demonstrate the exploitation, let's assume the attacker has gained Overall/Read permission on the Jenkins system. Due to the lack of proper context settings for credentials lookup in Delphix Plugin, the attacker can potentially retrieve any stored credentials. Here's a simple code example to better understand the situation:

// Assuming attacker has Overall/Read permission
public void exploitCredentials() {
    CredentialsMatcher matcher = CredentialsMatchers.always();
    List<StandardUsernamePasswordCredentials> creds = 
        CredentialsProvider.lookupCredentials(
            StandardUsernamePasswordCredentials.class,
            Jenkins.getInstance(),
            ACL.SYSTEM, // This should have been something like "ACL.USER" to prevent unauthorized access
            Collections.<DomainRequirement>emptyList()
        );
    creds.stream()
        .filter(matcher::matches)
        .forEach(credential -> {
            System.out.println("Leaked credential: " + credential.getUsername() + " - " + credential.getPassword().getPlainText());
        });
}

Here's what's going on: the attacker looks up the credentials using CredentialsProvider.lookupCredentials() with an overly permissive access level (ACL.SYSTEM). Since the Delphix Plugin doesn't set the appropriate context, this effectively allows unauthorized capture of credentials.

Mitigation and Recommendations

There's no need to panic! Maintainers of the Delphix Plugin have already addressed this issue and released a fixed version (3..3). Here's what you can do:

1. Update your Jenkins Delphix Plugin to version 3..3 or later. You can find the latest plugin version on the Jenkins Plugin Index.
2. Make sure your Jenkins instance is up-to-date and apply security best practices as suggested by the official Jenkins documentation.

For official information about CVE-2023-40345, consult the following resources

- Jenkins Security Advisory 2019-03-11
- Delphix Plugin Repository on Github

Remember, staying informed and up-to-date on security vulnerabilities in the tools you're using is crucial to keeping your systems and data safe. Feel free to share this information with others that may be affected by this issue. Happy coding, and stay safe out there!

Timeline

Published on: 08/16/2023 15:15:00 UTC
Last modified on: 08/18/2023 20:01:00 UTC