A critical vulnerability in Jenkins has been discovered, posing a serious threat as it could be exploited by threat actors for malicious purposes. Tracked as CVE-2024-23898, the severity of this vulnerability is yet to be classified. However, the good news is that Jenkins has already addressed this vulnerability in their latest versions, 2.442 and LTS 2.426.3. With Jenkins currently holding a market share of 44% as of 2023, the potential impact of this vulnerability being exploited could be catastrophic.

The vulnerability, CVE-2024-23898, is associated with Cross-Site WebSocket hijacking due to the lack of origin validation of requests made through the CLI WebSocket endpoint. This flaw could allow threat actors to execute CLI commands on the Jenkins controller under specific criteria. It is worth noting that most web browsers do not implement a “lax by default” policy which could serve as a safeguard against this vulnerability. However, exploiting the vulnerability requires a malicious link to be sent to the victim, and user interaction is mandatory.

Reports from SonarSource have detailed that one of the methods to invoke the Jenkins-CLI command is through the use of web sockets. Jenkins-CLI allows users to execute custom commands implemented in the Hudson/CLI directory of the Jenkins Git repository. The most common way of invoking a command is using Jenkins-cli.jar or SSH. However, there was another method discovered that invokes commands by sending two POST requests to http://jenkins/cli?remoting=false.

When a CLI command is invoked, Jenkins uses args4j’s parseArgument, which calls expandAtFiles. If an attacker can control the arguments, it can be expanded to an arbitrary number of ones from an arbitrary file on the Jenkins instance. This arbitrary command execution combines a Data-leak vulnerability (CVE-2024-23897) with a similar background. CVE-2024-23897 exists due to a similar reason but is associated with leaking the contents of an arbitrary file on the Jenkins instance.

Researchers have replicated several attack scenarios and have produced functional proof-of-concept (PoC) exploits that have been made available to the public on GitHub. This data-leak vulnerability is exploited for reading the contents of the file in order to find the arbitrary number of arguments, which is later used for the exploitation of Remote Code Execution.

The success rate of arbitrary code execution over the Jenkins instance is dependent on different contexts, with some of the interesting files that are evident for successful exploitation being SSH keys, /etc/passwd, /etc/shadow, project secrets and credentials, source code, build artifacts, and more.

In conclusion, the discovery of a critical vulnerability in Jenkins is a cause for concern, especially given its widespread usage. While Jenkins has taken steps to address this vulnerability, organizations using the software are advised to update to the latest versions to ensure they are protected from potential exploitation by threat actors. Vigilance and adherence to best security practices are crucial in safeguarding against cyber threats.

Source link