Jenkins/ssh-agent Docker Image, SSH Host Key Reuse, CVE-2025-32754 (Critical)

By /

How CVE-2025-32754 Works

The vulnerability occurs in Jenkins/ssh-agent Docker images (v6.11.1 and earlier) where SSH host keys are generated during image creation instead of container runtime. This causes all containers from the same image version to share identical SSH host keys. Attackers positioned in the network path between Jenkins controller and SSH build agent can exploit this to perform man-in-the-middle (MITM) attacks by impersonating the legitimate build agent. The static keys enable trust chain compromise, allowing unauthorized access to sensitive CI/CD pipelines and potential code injection.

DailyCVE Form

Platform: Jenkins/ssh-agent
Version: ≤6.11.1
Vulnerability: SSH key reuse
Severity: Critical
Date: 04/10/2025

What Undercode Say:

Exploitation commands:
Identify vulnerable containers:
docker ps --filter "ancestor=jenkins/ssh-agent:6.11.1"
MITM simulation using shared keys:
ssh -o StrictHostKeyChecking=no -i /path/to/known_host_keys user@target_container
Protection commands:
Upgrade to patched version:
docker pull jenkins/ssh-agent:6.11.2
Runtime key generation (workaround):
docker run -e "SSH_HOST_KEYS_GENERATE=true" jenkins/ssh-agent:custom
Verification script:
!/bin/bash
if [[ $(docker inspect <container> | grep -A5 "SSH_HOST_KEY" | wc -l) -eq 0 ]]; then
echo "Vulnerable: Static keys detected"
fi

Secure Dockerfile example:
FROM jenkins/ssh-agent:6.11.2
RUN rm -f /etc/ssh/ssh_host_ && \
echo "@reboot /usr/sbin/sshd-keygen" >> /etc/crontab

Key rotation automation:
import paramiko
from docker import DockerClient
def rotate_keys(container):
client = DockerClient()
container = client.containers.get(container)
container.exec_run("rm -f /etc/ssh/ssh_host_")
container.exec_run("ssh-keygen -A")
container.restart()

Analytics:

  • Attack Surface: Network-accessible Jenkins agents
  • Impact Score: 9.8 (CVSS:4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H)
  • Patch Timeline: 72h critical response
  • Affected Configs: Default Debian-based deployments
  • Detection: SSH handshake fingerprinting

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image

Scroll to Top