Jenkins, an influential Java-based open-source automation platform celebrated for its extensive plugin ecosystem and continuous integration capabilities, recently unveiled a series of vulnerabilities in its offerings. One particularly critical vulnerability, carrying the potential for Remote Code Execution (RCE) attacks, has come to light, necessitating urgent attention. In this blog, we delve into the critical implications of Jenkins vulnerabilities, shedding light on the intricate nature of security risks posed by the recently disclosed RCE vulnerability, CVE-2024-23897.

Jenkins Vulnerabilities Unveiled

Tracked under CVE-2024-23897 with a severity score of 9.8, the vulnerability in Jenkins stems from an arbitrary file read issue impacting its built-in Command Line Interface (CLI). This CLI, used for accessing Jenkins from script or shell environments, utilizes the args4j library to parse commands. 

Specifically, a feature called “expandAtFiles” in the parser replaces the “@” character followed by a file path with the file’s contents. This feature is enabled by default in Jenkins versions 2.441 and earlier, LTS 2.426.2 and earlier, serving as a potential entry point for attackers to read arbitrary files on the Jenkins controller file system.

Unpacking the Risks

The CVE-2023-23897 vulnerability permits potential attackers with Overall/Read permissions to read entire files. Even without this permission, attackers can still access the first few lines, with the number of lines determined by available CLI commands. Notably, binary files containing cryptographic keys can be read under certain restrictions.

Apart from reading file contents, Jenkins has outlined potential attack scenarios that threat actors could exploit to achieve RCE through this vulnerability. It’s crucial to emphasize that these attacks are only possible if attackers can obtain cryptographic keys from binary files.

Potential Attack Vectors

Understanding the avenues through which attackers can exploit open-source software vulnerabilities is crucial for effective defense. Below, we explore several potential attack vectors that threat actors may leverage to exploit the Jenkins RCE vulnerability (CVE-2024-23897).

1. RCE via Resource Root URLs: This exploit requires the Resource Root URL functionality to be enabled. Attackers, in the first variant, use the CLI WebSocket endpoint, needing knowledge or the ability to guess a user’s username with Overall/Read permission. The second variant requires the possession of an API token for a non-anonymous user account, with Overall/Read permission not being a prerequisite.
2. RCE via “Remember me” Cookie: Attackers can forge a “Remember me” cookie to log into Jenkins via a web browser, gaining access to the Script Console and manipulating a cookie for an administrator account. This exploit requires the “Remember me” feature to be enabled, along with Overall/Read permission to access content beyond the initial lines in files.
3. RCE via Stored Cross-Site Scripting (XSS) Attacks Through Build Logs: Attackers can execute XSS attacks by injecting arbitrary HTML and JavaScript into build logs through forged serialized console note objects. Successful exploitation relies on the attacker’s control over build log output, typically achieved through mechanisms like pull requests.
4. RCE via CSRF Protection Bypass: By using forged CSRF tokens (“crumbs”), attackers can perform CSRF attacks through the submission of POST requests with a valid crumb.

Patching Jenkins For Security

Protecting against cyber threats to CI/CD systems requires a comprehensive approach that addresses vulnerabilities at every stage of the development pipeline. SonarSource security researcher Yaniv Nizry deserves credit for discovering and reporting the flaw on November 13, 2023.

The issue has been addressed in Jenkins 2.442 and LTS 2.426.3, where the command parser feature has been disabled as a preventive measure. As a short-term workaround until the patch can be applied, it is strongly recommended to temporarily disable access to the CLI.

Previous Jenkins Vulnerabilities

This development comes nearly a year after Jenkins tackled severe security vulnerabilities known as CorePlague (CVE-2023-27898 and CVE-2023-27905), emphasizing the platform’s ongoing commitment to securing Jenkins instances.

Adding urgency to the situation, proof-of-concept (PoC) exploits for CVE-2024-23897 have been made public on GitHub following the disclosure of the flaw. Users are strongly urged to update their Jenkins installations to the latest version promptly to mitigate potential server security risks.

Conclusion

In conclusion, the Jenkins vulnerabilities demand immediate attention from the community. Understanding the risks, implementing the recommended fixes, and staying informed about security updates are paramount. Cybersecurity in continuous integration is paramount for ensuring the integrity and safety of software development processes. 

In a landscape where cyber threats continually evolve, proactive measures play a crucial role in safeguarding the integrity and security of Jenkins installations. To mitigate the risks of exploits against Jenkins servers, it’s crucial to promptly apply security patches and adopt proactive security measures. 

The sources for this piece include articles in The Hacker News and SOCRadar. 

The post Alert: Jenkins Vulnerabilities Open Servers To RCE Attacks appeared first on TuxCare.

*** This is a Security Bloggers Network syndicated blog from TuxCare authored by Wajahat Raja. Read the original post at: https://tuxcare.com/blog/alert-jenkins-vulnerabilities-open-servers-to-rce-attacks/