ACSC issues critical alert on “active exploitation” of vulnerabilities in Jenkins DevOps tools
Critical and high-alert vulnerabilities can lead to remote code execution and cross-site hijacking.
The Australian Cyber Security Center overnight released a Critical Alert regarding a series of vulnerabilities in a popular DevOps tool.
Jenkins, maker of the related products and plugins, released its own security advisory the day before.
“ASD’s ACSC is tracking multiple vulnerabilities affecting Jenkins products, which could result in remote code execution and cross-site WebSocket hijacking,” said the ACSC Alert said.
Most alarmingly, it appears threat actors are already taking advantage of the flaws.
“The ASD ACSC is aware of reports of active exploitation of both vulnerabilities.”
The vulnerabilities affect the following Jenkins products:
- Jenkins (core)
- Git Server Plugin
- GitLab Branch Source Plugin
- Log Command Plugin
- Matrix Project Plugin
- Qualys Policy Compliance Check Connector Plugin
- Red Hat Dependency Analysis Plugin
The vulnerability is related to the args4j library, which Jenkins uses to parse command arguments.
“This command parser has a feature that replaces an @ character followed by a file path in an argument with the contents of the file (expandAtFiles),” Jenkins said in its statement. “This feature is enabled by default and Jenkins 2.441 and earlier, LTS 2.426.2 and earlier do not disable it.”
“This allows attackers to read arbitrary files on the Jenkins controller file system using the default character encoding of the Jenkins controller process.”
These are the specific vulnerabilities:
CVE-2024-23897: This is a critical vulnerability in the command parser of the command line interface, which could give attackers the ability to read arbitrary files in the Jenkins controller file system, which could in turn result in remote code execution .
CVE-2024-23898: A high severity vulnerability that allows cross-site WebSocket hijacking from the command line, leading to the possibility of a threat actor executing CLI commands on the Jenkins controller.
The ACSC is tracking a number of other vulnerabilities affecting Jenkins products: CVE-2024-23899, CVE-2024-23900, CVE-2024-23901, CVE-2024-23901, 2024-23902, 2024-23903, CVE-2023 – 6148, CVE-2023-6147, CVE-2024-23905 and CVE-2024-23904.
The ACSC’s advice is that any organization using Jenkins products should look for indicators of compromise and upgrade to Jenkins 2.442 or LTS 2.426.3.
Caitlin Condon, Director of Vulnerability Intelligence at Rapid7 Labs, feels that vulnerabilities are harder to leverage than they might seem.
“Rapid7 Labs is taking a measured approach to the critical Jenkins RCE vulnerability because there are a number of restrictions that make it difficult to weaponize full code execution,” Condon told Cyber Daily in an email.
“It is possible that an unauthenticated attacker could find a way to compromise a Jenkins instance by exploiting CVE-2023-23897, but it would be a non-trivial attack; the adversary would have to take whatever information he could leak and find a way to use it to further his goals, such as exploiting the vulnerability to leak an encrypted password and then finding a way to decrypt it. We also suspect that the various estimates of Jenkins instances exposed to the Internet may be artificially high, since it is unlikely that all Internet-facing systems will have exploitable configurations.
“Regardless, Rapid7 advises organizations to remediate quickly, as anything that could potentially expose secrets is a concern, as are potential targeted attacks by motivated adversaries.”