Powered by MOMENTUM MEDIA
cyber daily logo
Breaking news and updates daily. Subscribe to our Newsletter

ACSC releases critical alert over ‘active exploitation of vulnerabilities in Jenkins DevOps tools

Critical and high-alert vulnerabilities could lead to remote code execution and cross-site hijacking.

user icon David Hollingworth
Wed, 31 Jan 2024
ACSC releases critical alert over ‘active exploitation of vulnerabilities in Jenkins DevOps tools
expand image

The Australian Cyber Security Centre (ACSC) has overnight released a critical alert over a series of vulnerabilities in a popular DevOps tool.

Jenkins, the maker of the products and related plugins, had released its own security advisory the day before.

“ASD’s ACSC is tracking multiple vulnerabilities impacting Jenkins products which could result in remote code execution and cross-site WebSocket hijacking,” the ACSC alert said.

============
============

More alarmingly, it appears threat actors are already taking advantage of the flaws.

“ASD’s ACSC is aware of reporting of active exploitation of both vulnerabilities,” the alert said.

The vulnerabilities impact the following Jenkins products:

  • Jenkins (core)
  • Git server Plugin
  • GitLab Branch Source Plugin
  • Log Command Plugin
  • Matrix Project Plugin
  • Qualys Policy Compliance Scanning Connector Plugin
  • Red Hat Dependency Analytics Plugin

The vulnerability relates to the args4j library, which Jenkins uses to parse command arguments.

“This command parser has a feature that replaces an @ character followed by a file path in an argument with the file’s contents (expandAtFiles),” Jenkins said in its advisory. “This feature is enabled by default and Jenkins 2.441 and earlier, LTS 2.426.2 and earlier does not disable it.”

“This allows attackers to read arbitrary files on the Jenkins controller file system using the default character encoding of the Jenkins controller process.”

These are the specific vulnerabilities:

CVE-2024-23897: This is a critical vulnerability in the command line interface command parser, which can give attackers the ability to read arbitrary files on the Jenkins controller file system, which could, in turn, result in remote code execution.

CVE-2024-23898: A high-severity vulnerability that enables cross-site WebSocket hijacking in the command line, leading to the possibility that a threat actor could execute CLI commands on the Jenkins controller.

The ACSC is tracking a number of other vulnerabilities that affect Jenkins products: CVE-2024-23899, CVE-2024-23900, CVE-2024-23901, 2024-23902, 2024-23903, CVE-2023-6148, CVE-2023-6147, CVE-2024-23905 and CVE-2024-23904.

The ACSC advises that any organisation using Jenkins’ products should scan for indicators of compromise and upgrade to Jenkins 2.442 or LTS 2.426.3.

Caitlin Condon, director of vulnerability intelligence at Rapid7, feels the vulnerabilities are harder to take advantage of than they might appear.

“Rapid7 Labs is taking a measured approach to the critical Jenkins RCE vulnerability because there are a number of constraints that make it difficult to weaponise for full code execution,” Condon told Cyber Daily via email.

“It’s possible that an unauthenticated attacker could find a way to compromise a Jenkins instance by exploiting CVE-2023-23897, but it would be a non-trivial attack; the adversary would have to take whatever information they’re able to leak and find a way to use it to further their objectives, such as exploiting the vulnerability to leak an encrypted password and then finding a way to decrypt it. We also suspect that the various estimates of internet-exposed Jenkins instances may be artificially high, since it’s unlikely all internet-facing systems have exploitable configurations.

“Regardless, Rapid7 advises organisations to patch quickly since anything that can potentially expose secrets is a concern, as are potential targeted attacks by motivated adversaries.”

David Hollingworth

David Hollingworth

David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.

newsletter
cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.