The Cybersecurity and Infrastructure Security Agency (CISA) has added a critical vulnerability found in Jenkins, identified as CVE-2024-23897 with a CVSS score of 9.8, to its Known Exploited Vulnerabilities (KEV) catalogue. This vulnerability is a path traversal flaw within the Jenkins Command Line Interface (CLI), and it can result in remote code execution (RCE) and unauthorized file access. Continue reading this Cybersecurity Threat Advisory to reduce the risk of exploitation from this vulnerability.
What is the threat?
Jenkins is an automation server used for continuous integration and continuous delivery (CI/CD), specifically within the args4j library, which processes command arguments. The threat works by exploiting this flaw in the Jenkins CLI command parser. When an attacker submits a specially crafted command with the “@” character, Jenkins mistakenly interprets this as an instruction to read the contents of the specified file and insert it into the command. This behavior can be abused to access sensitive files on the Jenkins controller’s filesystem. This includes configuration files, credentials, and other critical data. Depending on the attacker’s permissions, they could gain varying levels of access from reading specific files to potentially executing arbitrary code if they manage to retrieve Jenkins secrets or escalate their privileges.
Why is it noteworthy?
The simplicity of this attack and its ability to execute without authentication makes it particularly dangerous. Attackers can use this vulnerability to gain a foothold in a Jenkins environment, from which they can further exploit the system, deploy malware, or carry out ransomware attacks, severely compromising the integrity of the affected infrastructure. A compromise of Jenkins can lead to disruption of software delivery processes, theft of intellectual property, and unauthorized access to production environments.
What is the exposure or risk?
Various threat actors are actively exploiting the flaw to compromise systems and access sensitive data. This is often as part of larger supply chain attacks targeting critical industries. This vulnerability has already been exploited in ransomware attacks in the past, which highlights its potential to cause significant harm. This is particularly true in environments where Jenkins servers are publicly accessible or poorly secured.
Organizations using vulnerable versions of Jenkins are at a heightened risk of system compromise. The exposure is especially critical for those that have not applied the necessary patches or do not have robust security controls in place. The risk includes the loss of sensitive data and the potential for full system compromise. This can lead to severe operational disruptions and financial losses, particularly if the attack results in ransomware deployment.
What are the recommendations?
Barracuda MSP strongly recommends organizations to take these additional steps to reduce the risk of exploitation and protect their critical infrastructure from this threat:
- Update Jenkins to the latest versions (2.442 and LTS 2.426.3).
- Consider disabling the CLI entirely to reduce the attack surface if is not essential to your operations.
- Use firewalls and limit access to trusted IP ranges.
- Enforce strong authentication mechanisms, including multi-factor authentication (MFA), and limit access to Jenkins servers to trusted personnel only.
References
For more in-depth information about the recommendations, please visit the following links:
- https://www.jenkins.io/security/advisory/2024-01-24/#SECURITY-3314
- https://thehackernews.com/2024/08/cisa-warns-of-critical-jenkins.html
If you have any questions about this Cybersecurity Threat Advisory, please contact Barracuda XDR’s Security Operations Center.
