Security researchers have begun publishing working proof-of-concept (PoC) exploits for a critical vulnerability in Jenkins' continuous integration and continuous deployment (CI/CD) software.
One researcher warned malevolent actors are already actively trying to exploit the flaw in the wild.
CVE-2024-23897 and CVE-2024-23898, rated critical and high-severity respectively, were disclosed on 24 January by Yaniv Nizry, a vulnerability researcher at clean code specialists Sonarsource.
If exploited, the critical vulnerability CVE-2024-23897 could enable admin privilege escalation and ultimately allow attackers to leverage remote code execution (RCE) attacks on victim’s servers.
Similarly, the second high-severity security flaw uncovered by Nizry, CVE-2024-23898, was shown to potentially allow attackers to execute arbitrary CLI commands if they are able to trick employees at the target organization into clicking a malicious link.
Since being disclosed, security researchers have made a number of PoC exploits for CVE-2024-23897 publicly available, with some already being validated as viable attack vectors.
One researcher claimed they have already observed CVE-2024-23897 being exploited in the wild, with their honeypots set up to lure interest from hackers indicating “someone is mass-scanning and exploiting Jenkins CLI endpoints”.
Jenkins is one of the most popular open-source software automation services, reporting a market share of 44% in August 2023, and consequently the fallout from these disclosures could be significant.
Both CVE-2024-23897 and CVE-2024-23898 were patched in Jenkins versions 2.442 and LTS 2.426.3, with customers advised to update as soon as possible.
In a security advisory released on 24 January, Jenkins described a potential workaround for administrators who are unable to update immediately, where disabling access to Jenkins CLI can prevent exploitation of CVE-2024-23898.
Critical flaw could provide hackers with administrator access to victim’s environments
The critical vulnerability, CVE-2024-23897, involves attackers being able to read some or all of specific files from the Jenkins’ server, depending on their level of authorization.
The flaw takes advantage of the software’s ‘expandAtFiles’ functionality in order to read arbitrary files, with unauthorized users being able to read a “limited amount” of the files’ data, whereas hackers with ‘read-only’ access would be able read the entire file.
“Jenkins uses the args4j library to parse command arguments and options on the Jenkins controller when processing CLI commands. This command parser has a feature that replaces an ‘@’ character followed by a file path in an argument with the file’s contents (expandAtFiles)” the security advisory from Jenkins explained.
Nizry detailed how attackers could use this access to improve their understanding of Jenkins’ internal systems and escalate their privileges to the level of administrator, allowing them to execute code on the server.
Discover how your organization can enhance its cyber resilience with proactive threat intelligence
DOWNLOAD NOW
The high-severity flaw, CVE-2024-23898, is a cross-site WebSocket hijacking (CSWSH) exploit stemming from a weakness in the software’s WebSocket CLI feature, which lacks an origin check.
In the blog disclosing this flaw, Nizry explained how threat actors could use social engineering attacks to trick users into clicking malicious links that would enable the attacker to eventually execute CLI commands as the victim.
Like the more severe CVE-2024-23897, the potential impact of exploiting this flaw depends on the permissions of the attacker, however the specific web browser the victim is using will also dictate the level of access the intruder will have.
“Certain modern web browsers implement a ‘lax by default’ policy, which serves as a potential safeguard against this vulnerability”, Nizry noted.
“Nonetheless, given that some widely used browsers like Safari and Firefox do not strictly enforce this policy, and considering the associated risks of potential bypass techniques or users using outdated browsers, the severity classification for this vulnerability is High.”
