Jenkins Servers Used for CI/CD Contain Critical RCE Flaw – Source: www.databreachtoday.com

Governance & Risk Management
,
Patch Management

Approximately 45,000 Vulnerable Servers Worldwide

Mihir Bagwe (MihirBagwe) ,
Prajeet Nair (@prajeetspeaks) •
January 30, 2024    

Hackers are scanning the internet looking for vulnerable instances of the Jenkins server used by software developers for continuous integration and continuous delivery in automating development.

See Also: Live Webinar | Securing the Cloud: Mitigating Vulnerabilities for Government

There are approximately 45,000 exposed Jenkins servers susceptible to a critical remote code execution flaw that has multiple public proof-of-concept exploits circulating on the open internet, the Shadowserver Foundation tweeted. Most of the vulnerable servers are in China, and the United States comes in second.

The Shadowserver Foundation isn’t the only organization looking for vulnerable servers. “Our honeypots see someone is mass-scanning and exploiting Jenkins CLI endpoints,” tweeted a researcher.

The Jenkins project, which maintains the open-source automation server software, published a security alert Feb. 24 warning users that attackers could exploit a feature in the command line parser to obtain file contents.

Specifically, the command line interface uses the args4j library, which returns file contents when parsing an argument starting with the @ character followed by a file path. Jenkins versions 2.442 and LTS 2.426.3 patch the flaw, although the project said administrators can also disable access to the command line interface.

Attackers who already have overall/read permission can read entire files. Attackers without that permission can still get the first few lines of a file. The flaw is tracked as CVE-2023-23897.

Jenkins amounts to an estimated 44% of the CI/CD market. Security researchers warned of multiple working exploits for CVE-2023-23897.

Several validated POCs are available, allowing attackers to grab scripts for minimal or no modification when scanning for exposed servers.

“Attackers could leverage this vulnerability, by reading Jenkins secrets, to escalate privileges to admin and eventually execute arbitrary code on the server,” said the SonarSource researchers who discovered the vulnerability.

SonarSource found a second Jenkins vulnerability tracked as CVE-2024-23898. It is a cross-site WebSocket hijacking vulnerability. Since unpatched Jenkins command line interfaces lack an origin check, any website could potentially use WebSocket to perform actions in Jenkins as if they were the user. The method is similar to how some security vulnerabilities, such as cross-site request forgery, work, the researchers said.