FreeBSD : jenkins -- slave-originated arbitrary code execution on master servers (0dad9114-60cc-11e4-9e84-0022156e8794)

This script is Copyright (C) 2014-2015 Tenable Network Security, Inc.


Synopsis :

The remote FreeBSD host is missing one or more security-related
updates.

Description :

Kohsuke Kawaguchi from Jenkins team reports :

Historically, Jenkins master and slaves behaved as if they altogether
form a single distributed process. This means a slave can ask a master
to do just about anything within the confinement of the operating
system, such as accessing files on the master or trigger other jobs on
Jenkins.

This has increasingly become problematic, as larger enterprise
deployments have developed more sophisticated trust separation model,
where the administators of a master might take slaves owned by other
teams. In such an environment, slaves are less trusted than the
master. Yet the 'single distributed process' assumption was not
communicated well to the users, resulting in vulnerabilities in some
deployments.

SECURITY-144 (CVE-2014-3665) introduces a new subsystem to address
this problem. This feature is off by default for compatibility
reasons. See Wiki for more details, who should turn this on, and
implications.

CVE-2014-3566 is rated high. It only affects installations that accept
slaves from less trusted computers, but this will allow an owner of of
such slave to mount a remote code execution attack on Jenkins.

See also :

http://www.nessus.org/u?c3ec4fdc
http://www.nessus.org/u?3ea19aad
http://www.cloudbees.com/jenkins-security-advisory-2014-10-30
http://www.nessus.org/u?99e73170

Solution :

Update the affected packages.

Risk factor :

Medium / CVSS Base Score : 6.8
(CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P)

Family: FreeBSD Local Security Checks

Nessus Plugin ID: 78815 ()

Bugtraq ID:

CVE ID: CVE-2014-3665

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now