Vulnerabilities > CVE-2017-1000355 - Deserialization of Untrusted Data vulnerability in Jenkins

#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(99984);
  script_version("1.8");
  script_cvs_date("Date: 2019/11/13");

  script_cve_id(
    "CVE-2017-1000353",
    "CVE-2017-1000354",
    "CVE-2017-1000355",
    "CVE-2017-1000356"
  );
  script_bugtraq_id(
    98056,
    98062,
    98065,
    98066
  );

  script_name(english:"Jenkins < 2.46.2 / 2.57 and Jenkins Enterprise < 1.625.24.1 / 1.651.24.1 / 2.7.24.0.1 / 2.46.2.1 Multiple Vulnerabilities");
  script_summary(english:"Checks the Jenkins version.");

  script_set_attribute(attribute:"synopsis", value:
"A job scheduling and management system hosted on the remote web server
is affected by multiple vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"The version of Jenkins running on the remote web server is prior to
2.57 or is a version of Jenkins LTS prior to 2.46.2, or else it is
a version of Jenkins Enterprise that is 1.625.x.y prior to 1.625.24.1,
1.651.x.y prior to 1.651.24.1, 2.7.x.0.y prior to 2.7.24.0.1, or
2.x.y.z prior to 2.46.2.1. It is, therefore, affected by multiple
vulnerabilities :

  - A remote code execution vulnerability exists within
    core/src/main/java/jenkins/model/Jenkins.java that
    allows an untrusted serialized Java SignedObject to be
    transfered to the remoting-based Jenkins CLI and
    deserialized using a new ObjectInputStream. By using a
    specially crafted request, an unauthenticated, remote
    attacker can exploit this issue to bypass existing
    blacklist protection mechanisms and execute arbitrary
    code. (CVE-2017-1000353)

  - A flaw exists in the remoting-based CLI, specifically in
    the ClientAuthenticationCache.java class, when storing
    the encrypted username of a successfully authenticated
    user in a cache file that is used to authenticate
    further commands. An authenticated, remote attacker who
    has sufficient permissions to create secrets in Jenkins
    and download their encrypted values can exploit this
    issue to impersonate any other Jenkins user on the same
    instance. (CVE-2017-1000354)

  - A denial of service vulnerability exists in the XStream
    library. An authenticated, remote attacker who has
    sufficient permissions, such as creating or configuring
    items, views or jobs, can exploit this to crash the Java
    process by using specially crafted XML content.
    (CVE-2017-1000355)

  - Cross-site request forgery (XSRF) vulnerabilities exist
    within multiple Java classes due to a failure to require
    multiple steps, explicit confirmation, or a unique token
    when performing certain sensitive actions. An
    unauthenticated, remote attacker can exploit these to
    perform several administrative actions by convincing a
    user into opening a specially crafted web page.
    (CVE-2017-1000356)

Note that Nessus has not tested for these issues but has instead
relied only on the application's self-reported version number.");
  script_set_attribute(attribute:"see_also", value:"https://www.cloudbees.com/cloudbees-security-advisory-2017-04-26");
  script_set_attribute(attribute:"see_also", value:"https://jenkins.io/security/advisory/2017-04-26/");
  # https://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?9c6d83db");
  script_set_attribute(attribute:"solution", value:
"Upgrade Jenkins to version 2.57 or later, Jenkins LTS to version
2.46.2 or later, or Jenkins Enterprise to version 1.625.24.1 /
1.651.24.1 / 2.7.24.0.1 / 2.46.2.1 or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:ND");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:X");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2017-1000353");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"in_the_news", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2017/04/13");
  script_set_attribute(attribute:"patch_publication_date", value:"2017/04/26");
  script_set_attribute(attribute:"plugin_publication_date", value:"2017/05/04");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:cloudbees:jenkins");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CGI abuses");

  script_copyright(english:"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("jenkins_detect.nasl");
  script_require_keys("www/Jenkins");
  script_require_ports("Services/www", 8080);

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");

port = get_http_port(default:8080);
get_kb_item_or_exit("www/Jenkins/"+port+"/Installed");
url = build_url(qs:'/', port:port);

version = '';
fix = '';
if (get_kb_item("www/Jenkins/"+port+"/enterprise/Installed"))
{
  appname = "Jenkins Enterprise by CloudBees";
  version = get_kb_item("www/Jenkins/"+port+"/enterprise/CloudBeesVersion");

  if (version =~ "^1\.651\.")
  {
    fix = '1.651.24.1';
  }
  else if (version =~ "^1\.625\." )
  {
    fix = '1.625.24.1';
  }
  else if (version =~ "^2\.7\." )
  {
    fix = '2.7.24.0.1';
  }
  else
  {
    fix = '2.46.2.1';
  }
}
else
{
  if (get_kb_item("www/Jenkins/"+port+"/is_LTS") )
  {
    appname = "Jenkins Open Source LTS";
    fix = '2.46.2';
  }
  else
  {
    appname = "Jenkins Open Source";
    fix = '2.57';
  }

  version = get_kb_item("www/Jenkins/" + port + "/JenkinsVersion");
  if (version == 'unknown')
  {
    audit(AUDIT_UNKNOWN_WEB_APP_VER, appname, url);
  }
}

if (ver_compare(ver:version, fix:fix, strict:FALSE) < 0)
{
  report =
    '\n  URL           : ' + url +
    '\n  Product       : ' + appname +
    '\n  Version       : ' + version +
    '\n  Fixed version : ' + fix +
    '\n';

  security_report_v4(port:port, severity:SECURITY_HOLE, extra:report, xsrf:TRUE);
}
else audit(AUDIT_WEB_APP_NOT_AFFECTED, appname, url, version);

#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were  
# extracted from the FreeBSD VuXML database :
#
# Copyright 2003-2018 Jacques Vidrine and contributors
#
# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,
# HTML, PDF, PostScript, RTF and so forth) with or without modification,
# are permitted provided that the following conditions are met:
# 1. Redistributions of source code (VuXML) must retain the above
#    copyright notice, this list of conditions and the following
#    disclaimer as the first lines of this file unmodified.
# 2. Redistributions in compiled form (transformed to other DTDs,
#    published online in any format, converted to PDF, PostScript,
#    RTF and other formats) must reproduce the above copyright
#    notice, this list of conditions and the following disclaimer
#    in the documentation and/or other materials provided with the
#    distribution.
# 
# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS "AS IS"
# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,
# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#

include("compat.inc");

if (description)
{
  script_id(99698);
  script_version("3.5");
  script_cvs_date("Date: 2019/04/10 16:10:17");

  script_cve_id("CVE-2017-1000353", "CVE-2017-1000354", "CVE-2017-1000355", "CVE-2017-1000356");

  script_name(english:"FreeBSD : jenkins -- multiple vulnerabilities (631c4710-9be5-4a80-9310-eb2847fe24dd)");
  script_summary(english:"Checks for updated packages in pkg_info output");

  script_set_attribute(
    attribute:"synopsis", 
    value:
"The remote FreeBSD host is missing one or more security-related
updates."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"Jenkins Security Advisory : DescriptionSECURITY-412 through
SECURITY-420 / CVE-2017-1000356 CSRF: Multiple vulnerabilities
SECURITY-429 / CVE-2017-1000353 CLI: Unauthenticated remote code
execution SECURITY-466 / CVE-2017-1000354 CLI: Login command allowed
impersonating any Jenkins user SECURITY-503 / CVE-2017-1000355
XStream: Java crash when trying to instantiate void/Void"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://jenkins.io/security/advisory/2017-04-26/"
  );
  # https://vuxml.freebsd.org/freebsd/631c4710-9be5-4a80-9310-eb2847fe24dd.html
  script_set_attribute(
    attribute:"see_also",
    value:"http://www.nessus.org/u?3062337c"
  );
  script_set_attribute(attribute:"solution", value:"Update the affected packages.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:jenkins");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:jenkins-lts");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:freebsd:freebsd");

  script_set_attribute(attribute:"vuln_publication_date", value:"2017/04/26");
  script_set_attribute(attribute:"patch_publication_date", value:"2017/04/27");
  script_set_attribute(attribute:"plugin_publication_date", value:"2017/04/27");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"FreeBSD Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/FreeBSD/release", "Host/FreeBSD/pkg_info");

  exit(0);
}


include("audit.inc");
include("freebsd_package.inc");


if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/FreeBSD/release")) audit(AUDIT_OS_NOT, "FreeBSD");
if (!get_kb_item("Host/FreeBSD/pkg_info")) audit(AUDIT_PACKAGE_LIST_MISSING);


flag = 0;

if (pkg_test(save_report:TRUE, pkg:"jenkins<2.57")) flag++;
if (pkg_test(save_report:TRUE, pkg:"jenkins-lts<2.46.2")) flag++;

if (flag)
{
  if (report_verbosity > 0) security_hole(port:0, extra:pkg_report_get());
  else security_hole(0);
  exit(0);
}
else audit(AUDIT_HOST_NOT, "affected");