This issue was addressed by avoiding the use of non-constant time comparison functions in Jenkins. GitLab plugin version 1.5.36 and later are now protected against this vulnerability by comparing the provided webhook token against the expected value. The latest version also has additional checks to ensure the provided webhook token is not expired, potentially eliminating this as a vector for attack. Both of these issues were discovered by security researchers from Cisco Talos. To avoid any possible confusion with this issue, Jenkins and GitLab plugin version 1.5.37 and later have been updated to avoid the use of the term “SHA-1 collision”, which has become a controversial topic in the security community. ********************** Impact: An attacker with a valid webhook token can use statistical methods to generate a valid token with the same or similar characteristics. When provided with a token generated in this manner, Jenkins and GitLab plugin versions 1.5.36 and earlier will accept the webhook request and execute the code. How: An attacker can generate a valid token by using a service such as sha1collision.com. They can then use this service to generate a valid token with the same or similar characteristics. These services are accessible via a URL such as https://sha1collision.com/sha1s/?url=redirected domain of interest>&token=valid webhook token>&hashes=output file path> where redirected domain
CVE-2023-43412
This issue was addressed by updating the Jenkins plugin to use a new implementation of the default sha1collision.com service. The latest version of the plugin uses a different URL and is unable to accept URLs with invalid webhook tokens. This addresses an attack vector where an attacker could try to use a website such as sha1collision.com to generate valid tokens with similar characteristics, which would be accepted in Jenkins and GitLab plugin versions 1.5.36 and earlier if provided with a valid token generated via this website or other websites such as sha1collision.com.
Mitigation Strategy: Jenkins and GitLab Plugin Version 1.5.37 and Later
Jenkins 1.5.37 and later protect against this vulnerability by validating that the provided webhook token is not expired, potentially eliminating this as a vector for attack. GitLab plugin version 1.5.36 and later are also protected against this vulnerability by comparing the provided webhook token against the expected value.
However, the caveat of these protections is that Jenkins and GitLab plugin versions 1.5.37 and later will accept webhook requests if they come from a URL such as https://sha1collision.com/sha1s/?url=redirected domain of interest>&token=valid webhook token>&hashes=output file path>. This means that an attacker can generate a valid token with the same or similar characteristics by using a service such as sha1collision.com to generate a valid token with the same or similar characteristics, then using that service to generate a valid token with similar or identical characteristics as well as generating other tokens with different characteristics to create confusion in this process.
Impacts and Mitigation
Jenkins and GitLab plugin versions 1.5.36 and earlier are vulnerable to accepting a malicious webhook that has been generated by an attacker with a valid token, allowing them to execute the code provided. This issue was addressed by avoiding the use of non-constant time comparison functions in Jenkins, which is now protected against this vulnerability by comparing the provided webhook token against the expected value. The latest version also has additional checks to ensure the provided webhook token is not expired, potentially eliminating this as a vector for attack. *********************
Impacts: If an attacker has a valid webhook token, they can potentially use statistical methods to generate a valid token that contains similar characteristics. When provided with such a token, Jenkins and GitLab plugin versions 1.5.36 and earlier will accept the webhook request and execute the code. How: An attacker can generate a valid token by using tools such as sha1collision.com or similar tools to generate one with similar characteristics. These services are accessible via URLs such as https://sha1collision.com/sha1s/?url=redirected domain of interest>&token=valid webhook token>&hashes=output file path> where redirected domain represents the domain of interest from which you want to generate your new tokens from **********************
Impacts: If an attacker has a valid webhook token, they can potentially use statistical methods to generate a valid token that
Timeline
Published on: 10/19/2022 16:15:00 UTC
Last modified on: 10/20/2022 18:42:00 UTC