A critical security flaw in Jenkins [2] [5], known as CVE-2024-23897 [2] [4] [5] [6], has been actively exploited by threat groups [1], leading to ransomware attacks such as the one on Brontoo Technology Solutions in India [1].
Description
This vulnerability allows unauthenticated attackers to read arbitrary files and achieve remote code execution [1], potentially exposing sensitive information like cryptographic keys [6]. The flaw, with a CVSS score of 9.8 [4], is rooted in the args4j command parser and enables attackers to read arbitrary files on the Jenkins controller file system [4]. This vulnerability can lead to RCE through the reading of Jenkins secrets and escalation of privileges to administrator [4]. Jenkins [1] [2] [3] [4] [5] [6], a widely used open source tool with a 45% share of the CI/CD market and over 11 million developers globally [1], released a patch and workaround for the CVE on Jan 24 [1]. Multiple proof-of-concept RCE exploits have been released [4], and nearly 45,000 internet-exposed Jenkins servers were found vulnerable to CVE-2024-23897 in January [4]. As of August 18 [4], over 28,000 servers remain vulnerable to exploitation [4]. CISA has added this vulnerability to the Known Exploited Vulnerabilities catalog due to its exploitation in ransomware attacks [5]. Trend Micro identified attack instances originating from the Netherlands [5], Singapore [5], and Germany [3] [5], with remote code execution exploits actively being traded [5]. CloudSEK and Juniper Networks revealed cyber attacks exploiting CVE-2024-23897 to infiltrate companies BORN Group and Brontoo Technology Solutions [5], attributed to threat actors IntelBroker and RansomExx ransomware gang [5]. Federal Civilian Executive Branch agencies have until September 9, 2024 [5], to apply fixes and secure their networks against active threats [5]. Shadowserver identified over 31,000 potentially exposed Jenkins instances [1], with nearly 50,000 unpatched instances when the CVE was first disclosed [1]. The vulnerability in the Jenkins Command Line Interface (CLI) allows threat actors to gain remote code execution and read arbitrary files on the server [2]. A fix was issued in January [2], but proofs of concept emerged soon after [2], leading to multiple attacks exploiting the flaw [2]. Recent incidents include a supply-chain attack on Born Group and a ransomware attack on Brontoo Technology Solutions in India [2], both gaining initial access via the Jenkins vulnerability [2]. Researchers have warned of proof-of-concept (PoC) exploits targeting this vulnerability [6], which could lead to remote code execution (RCE) [6]. Several weaponized PoC exploits have been released [6], and more than 75,000 internet-facing instances have been identified as vulnerable [6]. Admins are advised to install security updates (versions 2.442 [3], LTS 2.426.3 [3] [5], or LTS 2.440.1) or disable CLI access to protect systems [3]. Over 28,000 vulnerable Jenkins instances worldwide [3], including 2000 in Germany [3], are at risk [3]. Additional vulnerabilities (CVE-2024-23899) have also been patched [3], preventing attackers from injecting malicious code and accessing credentials [3].
Conclusion
The exploitation of CVE-2024-23897 in Jenkins poses a significant risk to organizations, as demonstrated by the ransomware attacks on Brontoo Technology Solutions and other companies. It is crucial for administrators to apply security updates promptly and take necessary precautions to protect their systems from potential threats. The continued emergence of proof-of-concept exploits highlights the importance of proactive security measures to mitigate the risks associated with this vulnerability.
References
[1] https://www.cybersecuritydive.com/news/jenkins-critical-cve-exploits-cisa/724729/
[2] https://devops.com/cisa-critical-jenkins-flaw-exploited-in-ransomware-attacks/
[3] https://www.heise.de/news/Softwareentwicklung-Schadcode-Attacken-auf-Jenkins-Server-beobachtetet-9840463.html
[4] https://www.scmagazine.com/news/critical-jenkins-vulnerability-added-to-cisas-known-vulnerabilities-catalog
[5] https://thehackernews.com/2024/08/cisa-warns-of-critical-jenkins.html
[6] https://securityaffairs.com/167267/hacking/cisa-adds-jenkins-command-line-interface-cli-bug-to-its-known-exploited-vulnerabilities-catalog.html
