Saturday, March 2, 2024

Critical Jenkins Vulnerability Let Attackers Execute Remote Code


Jenkins is an open-source automation server that is based on Java used for continuous integration and continuous delivery processes. Threat actors target Jenkins due to its widespread use in software development pipelines. 

The widespread use of it provides an opportunity for threat actors to exploit vulnerabilities and gain unauthorized access to sensitive data, allowing them to potentially disrupt and compromise software development workflows.

Recently, the researchers’ team at Jenkins uncovered a critical vulnerability that is tracked as “CVE-2024-23897,” with a CVSS score of 9.8 in Jenkins that enables threat actors to execute remote code.

AlertCVE-2024-23897 (CVSS 9.8): Critical Jenkins Security Vulnerability, RCE Possible
A critical vulnerability within Jenkins’ built-in command line interface (CLI), opens the door to arbitrary file reads through the CLI, potentially culminating in remote code execution…

— Hunter (@HunterMapping) January 25, 2024

Flaw Profile

CVE ID: CVE-2024-23897

CVSS score: 9.8

Severity: CRITICAL

Descriptions: Arbitrary file read vulnerability through the CLI can lead to RCE


Critical Jenkins Vulnerability

Jenkins vulnerability arises from a default-enabled parser feature, ‘expandAtFiles,’ in CLI that impacts versions 2.441 and earlier. 

Exploiting an arbitrary file reads the issue, and then the attackers can access the file system through the args4j library, which potentially compromises the system’s security.


Run Free ThreatScan on Your Mailbox

AI-Powered Protection for Business Email Security

Trustifi’s Advanced threat protection prevents the widest spectrum of sophisticated attacks before they reach a user’s mailbox. Try Trustifi Free Threat Scan with Sophisticated AI-Powered Email Protection .

CVE-2023-23897 permits Overall/Read permission holders to read entire files, while others can access the first few lines based on CLI commands. 

Reading binary files with cryptographic keys is possible with restrictions. Jenkins warns of potential RCE attacks that require access to cryptographic keys from binary files for execution.

The Jenkins team found a way to read the first three lines in recent releases without plugins. However, no identified plugins increase this line count at the moment. 

The confirmed attacks include reading all files with a known path and leveraging attackers’ ability to get cryptographic keys from binary files.


Here below, we have mentioned all the capabilities that this critical flaw enables the attackers:-

Remote code execution via Resource Root URLs

Remote code execution via “Remember me” cookie

Remote code execution via stored cross-site scripting (XSS) attacks through build logs

Remote code execution via CSRF protection bypass

Decrypt secrets stored in Jenkins

Delete any item in the Jenkins

Download a Java heap dump 

Besides this, the reading success relies on encoding with UTF-8 replacing half of the unreadable bytes, making it tough for attackers. 

Windows-1252 replaces only 5 out of 256 values, significantly reducing the options. To identify and update Jenkins promptly to mitigate risks make sure to check file.encoding value in Manage Jenkins > System Info.

Other Flaws Detected

Here below, we have mentioned all the other vulnerabilities detected:-

CVE-2024-23898 with CVSS 8.8, is a cross-site WebSocket hijacking vulnerability in the CLI.

CVE-2024-23899 with CVSS 8.8, is an arbitrary file read vulnerability in Git server Plugin can lead to RCE.

CVE-2023-6148 with CVSS 8.0, is a stored XSS vulnerability in Qualys Policy Compliance Scanning Connector Plugin.

CVE-2024-23905 with CVSS 8.0, is a content-Security-Policy protection for user content disabled by Red Hat Dependency Analytics Plugin.

CVE-2024-23904 with CVSS 7.5, is an arbitrary file read vulnerability in Log Command Plugin.

CVE-2023-6147 with CVSS 7.1, is a XXE vulnerability in Qualys Policy Compliance Scanning Connector Plugin.

In Jenkins 2.442/LTS 2.426.3, the CVE-2024-23897 vulnerability has been fixed by disabling the command parser. Admins can undo by setting hudson.cli.CLICommand.allowAtSyntax to true, but it’s not advised, especially for open networks. 

However, if the admin is unable to update Jenkins now, then as a workaround, they can temporarily block the CLI access.

The post Critical Jenkins Vulnerability Let Attackers Execute Remote Code appeared first on Cyber Security News.

“}]]   Read More 

Cyber Security News