avatarElNiak

Summary

Jenkins has been found vulnerable to a critical remote code execution (RCE) flaw, CVE-2024–23897, due to improper handling of the ‘@’ character in the args4j library, affecting versions up to 2.441 and LTS versions up to 2.426.2, with a high CVSS score of 9.8.

Abstract

The Jenkins automation server has recently been discovered to have a severe vulnerability, CVE-2024–23897, which allows for remote code execution (RCE). This vulnerability is rooted in the misuse of the args4j library's feature that replaces an ‘@’ character followed by a file path with the contents of that file. Attackers can exploit this to read arbitrary files on the Jenkins controller's file system, potentially accessing sensitive data and cryptographic keys. The severity of the vulnerability is underscored by its CVSS score of 9.8. Affected versions include Jenkins up to 2.441 and LTS versions up to 2.426.2. Various attack methods have been identified, including the use of Resource Root URLs, crafting “Remember me” cookies, and exploiting stored XSS in build logs. Jenkins has released patches in versions 2.442 and LTS 2.426.3 to address the issue, and administrators are strongly advised to update their systems to prevent potential attacks, as demonstrated by the emergence of multiple Proof-of-Concept (PoC) exploits post-disclosure.

Opinions

  • The vulnerability is considered highly severe due to its potential for widespread impact and the critical nature of RCE vulnerabilities.
  • Security researchers emphasize the importance of immediate patching and updating to the latest Jenkins versions to mitigate the risk.
  • The incident highlights the need for continuous vigilance and proactive security measures, especially for widely used software tools like Jenkins.
  • The release of PoC exploits shortly after the vulnerability's disclosure increases the urgency for administrators to secure their Jenkins instances.
  • The vulnerability serves as a reminder of the continuous cybersecurity threats and the necessity for organizations to maintain robust security practices.

Critical Jenkins RCE Vulnerability (CVE-2024–23897)

Technical Details of the Jenkins RCE Vulnerability (CVE-2024–23897)

Jenkins, a widely used open-source automation server, has recently been at the center of cybersecurity discussions due to a critical vulnerability identified as CVE-2024–23897. This vulnerability presents serious security risks, particularly in the realm of remote code execution (RCE).

CVE-2024–23897: Technical details

The Jenkins RCE vulnerability, identified as CVE-2024–23897, represents a critical security flaw within the Jenkins automation server’s command-line interface (CLI).

Core Issue

  • Args4j Library: Jenkins uses the args4j library for parsing command arguments in the CLI. This library has a feature where an ‘@’ character followed by a file path in a command argument is replaced with the contents of that file.
  • Flaw Exploitation: The vulnerability arises when this feature is misused, allowing attackers to read arbitrary files on the Jenkins controller’s file system.

Example in one of the PoC:

python CVE-2024-23897.py -l host.txt -f /etc/passwd
source

Mechanism of Exploitation

  • Improper Handling of ‘@’ Character: The args4j library’s handling of the ‘@’ character followed by a file path is at the heart of this vulnerability. This functionality, meant to enhance utility, becomes a security issue when exploited maliciously.
  • Reading Arbitrary Files: Attackers can leverage this feature to read files that they should not have access to. This includes sensitive data and cryptographic keys, depending on the attacker’s permissions.

Permission-Based Impact

  • Overall/Read Permission: Attackers with this level of permission can read entire files, gaining significant access to sensitive data.
  • Limited Permission: Those without Overall/Read permission can still exploit the vulnerability but are restricted to reading only the first few lines of files.

Remote Code Execution (RCE) Threat

  • Exploitation Methods: Various methods are available for attackers to execute code remotely, such as: - Using Resource Root URLs. - Crafting a “Remember me” cookie to impersonate an administrator. - Exploiting stored XSS in build logs.
  • CLI WebSocket Endpoint Accessibility: Certain attack methods require access to CLI WebSocket endpoints.
  • Binary Secrets Retrieval: Attackers may recover secrets stored in binary files, leading to further compromise.

Severity and Scope

  • CVSS Score: The vulnerability has been assigned a CVSS score of 9.8, reflecting its high severity and critical impact.
  • Affected Versions: Jenkins versions up to 2.441 and LTS versions up to 2.426.2 are affected.

Security Implications

  • File Content Exposure: Unauthorized exposure of file contents, especially sensitive data and cryptographic keys.
  • Variety of Attack Scenarios: The vulnerability opens up multiple avenues for attack, each with unique conditions and implications.

Affected Versions and Attack Vectors

The flaw impacts Jenkins versions up to 2.441 and LTS versions up to 2.426.2. Attackers with sufficient permissions can exploit this vulnerability to read entire files or just the first few lines, leading to different attack scenarios like RCE through Resource Root URLs, “Remember me” cookies, and stored XSS attacks in build logs.

Discovery and Public Disclosure

The vulnerability was discovered and reported by security researchers, leading to its public disclosure and highlighting the potential risks associated with unpatched Jenkins instances.

Mitigation and Patching

In response, Jenkins released patches in versions 2.442 and LTS 2.426.3, disabling the vulnerable command parser feature. Administrators are urged to update their systems immediately and, if unable, to disable Jenkins CLI access as a temporary measure.

Emergence of Proof-of-Concept Exploits

Following the disclosure, multiple Proof-of-Concept (PoC) exploits were released, increasing the urgency for administrators to secure their Jenkins instances against potential attacks.

Wider Implications and Recommendations

This incident underscores the critical importance of regular software updates and robust cybersecurity measures, especially for widely used tools like Jenkins. Organizations are advised to remain vigilant and proactive in their security practices.

Conclusion

The CVE-2024–23897 vulnerability in Jenkins serves as a stark reminder of the continuous threats in the cybersecurity landscape. Staying updated and applying recommended security measures are crucial steps in safeguarding valuable digital assets.

References:

  1. “Critical Jenkins Vulnerability Exposes Servers to RCE Attacks — Patch ASAP!” The Hacker News. Source.
  2. “CVE-2024–23897: Assessing the Impact of the Jenkins Arbitrary File Leak Vulnerability.” Security Boulevard. Source.
  3. “CVE-2024–23897 (CVSS 9.8): Critical Jenkins Security Vulnerability, RCE Possible.” Security Online. Source.
  4. “Critical Jenkins CLI File Read Vulnerability Could Lead to RCE Attacks (CVE-2024–23897).” SOCRadar. Source.
  5. “Critical Jenkins Vulnerability Leads to Remote Code Execution.” SecurityWeek. Source.
  6. Jenkins CLI Vulnerability CVE-2024–23897 — A Critical Path to Remote Code Execution. OP Innovate. Source.
  7. https://github.com/jenkinsci/jenkins
  8. https://github.com/binganao/CVE-2024-23897
  9. https://www.jenkins.io/security/advisory/2024-01-24/
Jenkins
Vulnerability
Bug Bounty
Penetration Testing
Cybersecurity
Recommended from ReadMedium
avatarVery Lazy Tech 👾
CVE-2024–23897 — Jenkins File Read Vulnerability — POC

CVE-2024–23897 is a critical vulnerability in Jenkins that allows unauthenticated attackers to read arbitrary files on the Jenkins…

3 min read
avatarHarshad Shah
VPS for Hackers: Top Picks for Bug Bounty and Cloud Pentesters Enthusiasts 2025

VPS for Hackers: Top Picks for Bug Bounty and Cloud Pentesters

4 min read
avatarAstik Rawat
OSCP+: Step-by-Step Guide to Success

Hi all, I am back with everyone’s favorite certificate and most requested certificate — Offensive Security Certified Professional+ (OSCP+)…

5 min read
avatarJose Campo
Conquering Active Directory for OSCP+: Essential Techniques and Strategies — Part 1

This is the first of a series of short articles written to assist with the Active Directory (AD) portion of the new OSCP+ exam format. The…

3 min read
avatarMuhammad Waseem
Log4j RCE Vulnerability (CVE-2021–44228) Exploitation

Assalam o Alaikum,

3 min read
avatarloyalonlytoday
Finding a p4 as per bug crowd vrt

2 min read