Source: TippaPatt via Shutterstock
Some 45,000 Internet-exposed Jenkins servers remain unpatched against a critical, recently disclosed arbitrary file-read vulnerability for which proof-of-exploit code is now publicly available.
CVE-2024-23897 affects the built-in Jenkins command line interface (CLI) and can lead to remote code execution on affected systems. The Jenkins infrastructure team disclosed the vulnerability, and released updated version software, on Jan. 24.
Proof-of-Concept Exploits
Since then, proof-of-concept (PoC) exploit code has become available for the flaw and there are some reports of attackers actively attempting to exploit it. On Jan. 29, the nonprofit ShadowServer organization, which monitors the Internet for malicious activity, reported observing around 45,000 Internet-exposed instances of Jenkins that are vulnerable to CVE-2024-23897. Nearly 12,000 of the vulnerable instances are located in the US; China has almost as many vulnerable systems, according to ShadowServer data.
Many enterprise software development teams use Jenkins to build, test, and deploy applications. Jenkins allows organizations to automate repetitive tasks during software development — such as testing, code quality checks, security scanning, and deployment — during the software development process. Jenkins is also often used in continuous integration and continuous deployment environments.
Developers use the Jenkins CLI to access and manage Jenkins from a script or a shell environment. CVE-2024-23897 is present in a CLI command parser feature that is enabled by default on Jenkins versions 2.441 and earlier and Jenkins LTS 2.426.2 and earlier.
"This allows attackers to read arbitrary files on the Jenkins controller file system using the default character encoding of the Jenkins controller process," the Jenkins team said in the Jan. 24 advisory. The flaw allows an attacker with Overall/Read permission — something that most Jenkins users would require — to read entire files. An attacker without that permission would still be able to read the first few lines of files, the Jenkins team said in the advisory.
Multiple Vectors for RCE
The vulnerability also puts at risk binary files containing cryptographic keys used for various Jenkins features, such as credential storage, artifact signing, encryption and decryption, and secure communications. In situations where an attacker might exploit the vulnerability to obtain cryptographic keys from binary files, multiple attacks are possible, the Jenkins advisory warned. These include remote code execution (RCE) attacks when the Resource Root URL function is enabled; RCE via the "Remember me" cookie; RCE through cross-site scripting attacks; and remote code attacks that bypass cross-site request forgery protections, the advisory said.
When attackers can access cryptographic keys in binary files via CVE-2024-23897 they can also decrypt secrets stored in Jenkins, delete data, or download a Java heap dump, the Jenkins team said.
Researchers from SonarSource who discovered the vulnerability and reported it to the Jenkins team described the vulnerability as allowing even unauthenticated users to have at least read permission on Jenkins under certain conditions. This can include having legacy mode authorization enabled, or if the server is configured to allow anonymous read access, or when the sign-up feature is enabled.
Yaniv Nizry, the security researcher at Sonar who discovered the vulnerability, confirms that other researchers have been able to reproduce the flaw and have a working PoC.
"Since it's possible to exploit the vulnerability unauthenticated, to a certain extent, it is very easy to discover vulnerable systems," Nizry notes. "Regarding exploitation, if an attacker is interested in elevating the arbitrary file read to code execution, it would require some deeper understanding of Jenkins and the specific instance. The complexity of escalation is dependent on the context."
The new Jenkins versions 2.442 and LTS version 2.426.3 address the vulnerability. Organizations that cannot immediately upgrade should disable CLI access to prevent exploitation, the advisory said. "Doing so is strongly recommended to administrators unable to immediately update to Jenkins 2.442, LTS 2.426.3. Applying this workaround does not require a Jenkins restart."
Patch Now
Sarah Jones, cyber-threat intelligence research analyst at Critical Start, says organizations using Jenkins would do well not to ignore the vulnerability. "The risks include data theft, system compromise, disrupted pipelines, and the potential for compromised software releases," Jones says.
One reason for the concern is the fact that DevOps tools such as Jenkins can often contain critical and sensitive data that developers might bring in from production environments when building or developing new applications. A case in point occurred last year when a security researcher found a document containing 1.5 million individuals on the TSA's no-fly list sitting unprotected on a Jenkins server, belonging to Ohio-based CommuteAir.
"Immediate patching is crucial; upgrading to Jenkins versions 2.442 or later (non-LTS) or 2.427 or later (LTS) addresses CVE-2024-23897," Jones says. As a general practice she recommends that development organizations implement a least-privilege model for limiting access, and also do vulnerability scanning and continuous monitoring for suspicious activities. Jones adds: "Additionally, promoting security awareness among developers and administrators strengthens the overall security posture."