Vulnerability report written by the TA team by analyzing "Jenkins Arbitrary File Read"
The vulnerability is a random file read vulnerability in Jenkins that could allow an agent-accessible attacker to connect with the controller and read to any file in the controller, which could lead to an RCE attack.
The vulnerabilities were patched in Jenkins 2.471, LTS 2.452.4, and 2.462.1, and AIWAF is continuously monitoring related vulnerabilities.
Tags: Jenkins, CVE-2024-43044, Arbitrary File Read, Remote Code Execution, Jenkins Remoting Library, Jenkins Agent, Jenkins Controller
1. Overview
Jenkins is a tool used to automate tasks such as building, testing, and deploying software, and we analyzed CVE-2024-43044, a file read vulnerability in the tool.
2. Attack Types
The architecture of Jenkins is composed of Jenkins Agents and Controllers that coordinate tasks such as managing, scheduling, and monitoring the agents. The communication between Jenkins Agent and Controller uses the Remoting library, which communicates via its own protocol or SSH.
https://blog.convisoappsec.com/en/analysis-of-cve-2024-43044/
This vulnerability allows the Agent to access and read arbitrary files within the Controller, because some code in functions within the Controller does not restrict the path of the request when the Agent requests files it needs from the Controller file system.
Therefore, an attacker can gain access to the Agent by obtaining the agent.jar file or leaking credentials via the remoting.jar file to obtain the agent name and secret information, connect to the Controller using the Remoting library, a communication library, and call the vulnerable instance, hudson.remoting.RemoteClassLoader, to access arbitrary files.
The vulnerability can be leveraged to steal information about a specific user, create a Remomber-Me cookie based on that information, and gain access to the Jenkins Scripting Engine to execute malicious commands.
3. Countermeasures
The vulnerability has been patched in Jenkins 2.471, LTS 2.452.4, and 2.462.1, and Jenkins has also provided corrected agent files for Jenkins Controllers that were unfortunately unable to apply the fix.
The vulnerability is in the SSH communication environment, which is a proprietary protocol, and does not appear to be a patternable area for AIWAF.
https://github.com/jenkinsci/remoting/blob/master/docs/protocols.md
4. Conclusion
The file reading vulnerability in Jenkins can be easily exploited by anyone who has access to the Agent in any way, and with over 516,000 Jenkins servers exposed as of September 24, 2024, the impact of this vulnerability is high, so you should always keep Jenkins patched to the latest version.
ZoomEye search results for “Jenkins”
Our AIWAF products continue to monitor for vulnerabilities in Jenkins and will continue to respond quickly to any relevant vulnerabilities that are discovered.
