[CVE-2013-5676] Plain Text Password In SonarQube Jenkins Plugin

[Christian Catalano <ch.catalano () gmail com>]

###################################################

*
1. **###****Advisory Information **###*

Title: SonarQube Jenkins Plugin - Plain Text Password

Date published: 2013-12-05

Date of last update: 2013-12-05

Vendors contacted: SonarQube and Jenkins CI

Discovered by: Christian Catalano

Severity: High

*
*

*
2. **###****Vulnerability Information **###*

CVE reference: CVE-2013-5676

CVSS v2 Base Score: 9.0

CVSS v2 Vector : (AV:N/AC:L/Au:S/C:C/I:C/A:C) 
<http://nvd.nist.gov/cvss.cfm?vector=%28AV:N/AC:L/Au:S/C:C/I:C/A:C%29>

Component/s: Jenkins SonarQube Plugin

Class: plain text password



*3. ### Introduction ###*

Jenkins CI is an extendable open source continuous integration server 
http://jenkins-ci.org.

Jenkins SonarQube Pluginallows you to trigger SonarQube analysis from 
Jenkins CI using either a:

- Build step to trigger the analysis with the SonarQube Runner

- Post-build action to trigger the analysis with Maven

http://docs.codehaus.org/display/SONAR/Jenkins+Plugin


*4. ### Vulnerability Description ###*

The default installation and configuration of Jenkins SonarQube Plugin 
in Jenkins CI isprone to a security vulnerability.

This vulnerability could be exploited by a remote attacker (a jenkins 
malicious user with Manage Jenkins enabled)to obtain the SonarQube's 
credentials.


**

*5. ### Technical Description / Proof of Concept Code ###*

Below is a harmless test that can be executed to check if a Jenkins 
SonarQube Plugin installation is vulnerable.

Using a browser with a web proxy go to the following URL:

https://jenkinsserver:9444/jenkins/configure

check the parameter "sonar.sonarPassword" in Sonar installations section.

A vulnerable installation will show the password in plain text.

*6. ### Business Impact ###*

An attacker (a jenkins malicious user with Manage Jenkins enabled) can 
obtain the SonarQube's credentials.

**

*7. ### Systems Affected ### *

This vulnerability was tested against:

Jenkins CI v1.523 and SonarQube Plugin v3.7

Older versions are probably affected too, but they were not checked.

8. *### Vendor Information, Solutions and Workarounds ###*

There is the ability to encrypt the "sonar.password" property with the 
SonarQube encryption mechanism:

http://docs.codehaus.org/display/SONAR/Settings+Encryption

The sonar.password property is only encryptable since SonarQube v3.7

*9. ### Credits ###*

This vulnerability has been discovered by:

Christian Catalano aka wastasy ch(dot)catalano(at)gmail(dot)com

*10. ### Vulnerability History ###*

**

August21th, 2013: Vulnerability identification

September 4th, 2013: Vendor notification [Jenkins CI]

November 19th, 2013: Vulnerability confirmation [Jenkins CI]

November 29th, 2013: Vendor notification [SonarQube]

December2nd, 2013: Vendor solution[SonarQube]

December6th, 2013: Vulnerability disclosure

*
*

*11. ### Disclaimer ###*

**

The information contained within this advisory is supplied "as-is" with 
no warranties or guarantees of fitness of use or otherwise.

I accept no responsibility for any damage caused by the use or misuse of 
this information.

###################################################

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/