Jenkins Security Advisory: Addressing the Critical CVE-2024–23897 Vulnerability

Jan 21, 2024 2 Comments

Introduction:

Jenkins, a widely utilized open-source automation server, has recently been thrust into cybersecurity discussions due to the identification of a critical vulnerability known as CVE-2024–23897. This flaw poses severe security risks, particularly concerning remote code execution (RCE).

CVE-2024–23897: Technical Details:

The critical vulnerability (CVE-2024–23897) in Jenkins is centered around a security flaw within its command-line interface (CLI), where the Args4j library is employed for parsing command arguments.

- Red Team

Overview:

Jenkins is a popular open-source automation server that is widely used for continuous integration and continuous delivery (CI/CD) purposes. In order to secure and maintain the trust of our users, we have been closely monitoring for potential security vulnerabilities in Jenkins. Recently, a critical vulnerability (CVE-2024–23897) was discovered in the Jenkins core framework. The CVE-2024–23897 vulnerability is a remote code execution (RCE) vulnerability in Jenkins. It allows attackers to exploit a code injection vulnerability to take control of Jenkins instances. Successful exploitation of this vulnerability allows attackers to execute arbitrary code, resulting in a complete compromise of the affected system. This can lead to various consequences, such as data breaches, unauthorized code execution, and the potential for further compromise of the overall infrastructure. It is crucial for Jenkins users to take immediate action to apply the recommended mitigation measures to protect against this vulnerability.



Description of vulnarability :

Jenkins utilizes the args4j library to parse command arguments in the CLI. The vulnerability arises from a feature in this library where an '@' character followed by a file path in a command argument is replaced with the contents of that file.

Flaw Exploitation:

Attackers can misuse this feature to read arbitrary files on the Jenkins controller's file system, as demonstrated in the Proof-of-Concept (PoC) example below:


python CVE-2024-23897.py -l host.txt -f /etc/passwd

  • Mechanism of Exploitation:

    • The vulnerability stems from the improper handling of the '@' character, allowing attackers to read files they shouldn't have access to, including sensitive data and cryptographic keys.

    Permission-Based Impact: Attackers with Overall/Read permission gain extensive access to sensitive data, while those with limited permissions can only read the first few lines of files.
    Remote Code Execution (RCE) Threat: Various methods, such as using Resource Root URLs, crafting "Remember me" cookies, or exploiting stored XSS in build logs, can be employed for remote code execution. Certain methods require access to CLI WebSocket endpoints, and attackers may retrieve binary secrets, leading to further compromise.



  • Security Implications:

    • The vulnerability exposes file contents, especially sensitive data and cryptographic keys, with multiple attack scenarios and unique implications.

  • Affected Versions and Attack Vectors:

    • Jenkins versions up to 2.441 and LTS versions up to 2.426.2 are impacted. Attack scenarios include RCE through Resource Root URLs, "Remember me" cookies, and stored XSS attacks in build logs.

  • Discovery and Public Disclosure:

    • Security researchers discovered and reported the vulnerability, leading to its public disclosure and emphasizing the risks associated with unpatched Jenkins instances.

  • Mitigation and Patching:

    • Jenkins responded with patches in versions 2.442 and LTS 2.426.3, disabling the vulnerable command parser feature. Administrators are advised to update immediately or, if unable, temporarily disable Jenkins CLI access.

  • Proof-of-Concept Exploits:

    • Following the disclosure, multiple PoC exploits were released, underscoring the urgency for administrators to secure their Jenkins instances.

  • Wider Implications and Recommendations:

    • This incident highlights the importance of regular software updates and robust cybersecurity measures for widely used tools like Jenkins. Organizations are urged to remain vigilant and proactive in their security practices.


    Uncovering Critical Security Vulnerabilities in Jenkins

    Unauthenticated attackers can read the first few lines of arbitrary files from the server, while read-only authorized attackers can read the entire file. This could ultimately lead to the execution of arbitrary code in some cases (CVE-2024-23897). If one of the following conditions is met, even unauthenticated users have at least read permission:
    Legacy mode authorization is enabled.
    Configuration “Allow anonymous read access” is checked in the “logged-in users can do anything” authorization mode.
    The signup feature is enabled.
    The second vulnerability (CVE-2024-23898) resides within the WebSocket CLI feature, which lacks an origin check, allowing Cross-Site WebSocket Hijacking (CSWSH). This vulnerability might be exploited by sending a malicious link to a victim. Certain modern web browsers implement a “lax by default” policy, which serves as a potential safeguard against this vulnerability. Nonetheless, given that some widely used browsers like Safari and Firefox do not strictly enforce this policy, and considering the associated risks of potential bypass techniques or users using outdated browsers, the severity classification for this vulnerability is High.


SMIIT Cyber AI: Comprehensive Security, Unwavering Peace of Mind.

Though these vulnerabilities pose a risk, SMIIT Cyber AI has you covered. We proactively detect and address threats like unauthorized file access and web socket hijacking, ensuring your systems remain secure. Emphasize that SMIIT Cyber AI takes a proactive approach to cybersecurity, going beyond just identifying threats to recommending and implementing remediation strategies.


Conclusion:

Jenkins's CVE-2024-23897 vulnerability is an alarming indication of the ongoing challenges facing the cybersecurity industry. Applying suggested safety precautions and staying current are essential steps in protecting priceless digital assets.



References:

CVE-2024-23897: Assessing the Impact of the Jenkins Arbitrary File Leak Vulnerability.Red Team. Source.
https://github.com/jenkinsci/jenkins
https://github.com/binganao/CVE-2024-23897
https://www.jenkins.io/security/advisory/2024-01-24/


Cybersecurity AI Tech Tools
Comments (2)
John Doe
Posted at 15:32h, 07 Jaunuary Reply

"As someone who works in the cybersecurity field, I found this blog incredibly informative! The tips on protecting against phishing attacks were especially useful. Keep up the great work, looking forward to more content like this!"

Taylor
Posted at 15:32h, 06 December Reply

"Wow, this blog opened my eyes to so many potential threats I hadn't even considered before. It's scary how vulnerable we can be online, but thanks to articles like these, I feel more empowered to take control of my digital security. Thank you for the valuable insights!"

Leave a Comment

Recent Tweets

  • "Protect your digital fortress! 💻🔒 Stay ahead of cyber threats with these essential cybersecurity tips" https://bit.ly/smiit-cyberai1 Jan/12/2024
  • "Hackers beware! 🔍🛡️ Strengthen your defense against cyber attacks with the latest cybersecurity tools and best practices" https://bit.ly/smiit-cyberai2 Feb/10/2024

Tags

Cybersecurity AI AI and Security Tech Tools SMIIT SMMIT-CyberAI Docker Cloud Security

Our mission is to empower businesses and individuals with robust cybersecurity solutions.

About Us
Contact Info

SMIIT CyberAI copyright © 2024. All Rights Reserved.