CVE-2020-2099:Jenkins Inbound TCP Agent Protocol/3 Encryption Key Parameter Reuse Vulnerability

splash
Back

Description Preview

Jenkins 2.213 and earlier, LTS 2.204.1 and earlier improperly reuses encryption key parameters in the Inbound TCP Agent Protocol/3. This vulnerability allows unauthorized attackers with knowledge of agent names to obtain the connection secrets for those agents. Once obtained, these secrets can be used to connect to Jenkins, allowing attackers to impersonate legitimate agents. This is categorized as CWE-330 (Use of Insufficiently Random Values).

Overview

The vulnerability exists in the Jenkins Inbound TCP Agent Protocol/3 implementation where encryption key parameters are improperly reused across different agent connections. This insecure cryptographic practice makes it possible for attackers to derive connection secrets if they know the agent names. The issue affects all Jenkins instances using the Inbound TCP Agent Protocol/3 in versions 2.213 and earlier, and LTS 2.204.1 and earlier. Once an attacker has obtained these connection secrets, they can connect to the Jenkins master server while impersonating legitimate build agents, potentially executing arbitrary code in the context of the Jenkins system.

Remediation

Users should upgrade to Jenkins 2.214 or newer, or LTS 2.204.2 or newer, which address this vulnerability by implementing proper cryptographic practices for the Inbound TCP Agent Protocol/3. If immediate upgrading is not possible, consider implementing network-level security controls to restrict access to the Jenkins master, particularly the agent connection ports. Additionally, review and audit all connected agents to ensure they are legitimate, and consider implementing additional authentication mechanisms for agent connections where possible.

References

  1. Jenkins Security Advisory (2020-01-29): https://jenkins.io/security/advisory/2020-01-29/#SECURITY-1682
  2. OSS Security Mailing List: http://www.openwall.com/lists/oss-security/2020/01/29/1
  3. Red Hat Security Advisory RHSA-2020:0681: https://access.redhat.com/errata/RHSA-2020:0681
  4. Red Hat Security Advisory RHSA-2020:0683: https://access.redhat.com/errata/RHSA-2020:0683
  5. Red Hat Bug Advisory RHBA-2020:0402: https://access.redhat.com/errata/RHBA-2020:0402
  6. Red Hat Bug Advisory RHBA-2020:0675: https://access.redhat.com/errata/RHBA-2020:0675

Industry ExposureMost to least
This section illustrates the prevalence of a specific Common Vulnerabilities and Exposures (CVE) across various industries based on customer reports. The ranking displays industries from the most to least affected by this particular vulnerability, offering valuable insight into where this CVE has been most frequently observed. This information can help organizations within these sectors prioritize their security efforts, understand their relative risk exposure compared to their peers, and focus remediation strategies where they are most needed. By understanding the industry-specific impact, organizations can make more informed decisions regarding patching, resource allocation, and overall risk management related to this CVE.

  1. Manufacturing
    Manufacturing
  2. Finance and Insurance
    Finance and Insurance
  3. Public Administration
    Public Administration
  4. Health Care & Social Assistance
    Health Care & Social Assistance
  5. Retail Trade
    Retail Trade
  6. Transportation & Warehousing
    Transportation & Warehousing
  7. Educational Services
    Educational Services
  8. Management of Companies & Enterprises
    Management of Companies & Enterprises
  9. Other Services (except Public Administration)
    Other Services (except Public Administration)
  10. Professional, Scientific, & Technical Services
    Professional, Scientific, & Technical Services
  11. Accommodation & Food Services
    Accommodation & Food Services
  12. Arts, Entertainment & Recreation
    Arts, Entertainment & Recreation
  13. Utilities
    Utilities
  14. Wholesale Trade
    Wholesale Trade
  15. Administrative, Support, Waste Management & Remediation Services
    Administrative, Support, Waste Management & Remediation Services
  16. Agriculture, Forestry Fishing & Hunting
    Agriculture, Forestry Fishing & Hunting
  17. Construction
    Construction
  18. Information
    Information
  19. Mining
    Mining
  20. Real Estate Rental & Leasing
    Real Estate Rental & Leasing

Focus on What Matters

  1. See Everything.
  2. Identify True Risk.
  3. Proactively Mitigate Threats.

Let's talk!

background
Armis Vulnerability Intelligence Database