A critical vulnerability in the Jenkins open-source continuous integration/continuous delivery (CI/CD) automation server, which could lead to remote code execution (RCE) and theft of sensitive information, has been added to the Cybersecurity & Infrastructure Security Agency’s (CISA’s) Known Exploited Vulnerabilities (KEV) catalog.
The addition comes after Juniper Networks found that the RansomEXX ransomware group used the flaw to infiltrate Brontoo Technology Solutions, a collaborator with C-Edge Technologies, in a supply chain attack targeting C-Edge’s customers, which are mostly cooperative and regional rural banks in India.
These attacks were first discovered on Aug. 1, and Juniper Networks published its findings on the role of the Jenkins vulnerability on Aug. 13.
The vulnerability, which is tracked as CVE-2024-23897, was first patched and disclosed in January 2024, and affects Jenkins 2.441 and earlier and LTS 2.426.2 and earlier. The flaw is fixed in versions 2.442 and LTS.426.3.
Overview of critical Jenkins RCE vulnerability CVE-2024-23897
CVE-2024-23897, which has a CVSS score of 9.8, is rooted in a feature of the args4j command parser used by Jenkins’ built-in command line interface (CLI), which replaces an “@” character followed by a file path in an argument with the file’s contents, according to the Jenkins advisory.
This flaw enables attackers with Overall/Read permissions to read the entirety of arbitrary files on the Jenkins controller file system, and those without Overall/Read permissions to read the first few lines of files.
However, research by Sonar Source’s Vulnerability Research Team, which discovered the vulnerability, showed that the flaw could eventually lead to RCE through the reading of Jenkins secrets and escalation of privileges to administrator.
Multiple proof-of-concept RCE exploits were released for Jenkins CVE-2024-23897 in the days following its disclosure, and Jenkins’ advisory includes a non-exhaustive list of five possible RCE conditions, including methods to achieve RCE via resource root URLs, “Remember me” cookies, cross-site scripting (XSS) through build logs, and cross-site request forgery (CSRF) protection bypass.
The vulnerability can also be leveraged to decrypt secrets stored in Jenkins, delete any items in Jenkins and download Java heap dumps of the Jenkins controller process or any agent process, which could potentially contain sensitive information.
In January, after the vulnerability was disclosed, the Shadowserver foundation reported that nearly 45,000 internet-exposed Jenkins servers were vulnerable to CVE-2024-23897. As of August 18, Shadowserver’s dashboard showed more than 28,000 servers still remain vulnerable to exploitation.
