A critical security flaw in the popular Jenkins open-source automation server is on the Cybersecurity and Infrastructure Security Agency’s (CISA) list of known vulnerabilities after being exploited in ransomware and other attacks.
The U.S. government’s top cybersecurity agency added the bug – tracked as CVE-2024-23897 and with a CVSS severity score of 9.8 out of 10 – to its catalog of Known Exploited Vulnerabilities, which puts federal agencies on notice to secure their Jenkins servers, though CISA also warned all organizations running such servers to ensure they’re secure.
The vulnerability in the Jenkins Command Line Interface (CLI) is a path traversal flaw caused by a weakness in the args4j command parser, which can be exploited by threat actors to gain remote code execution (RCE) and to read arbitrary files on the Jenkins server.
The Java-based Jenkins server, which is maintained by CloudBees and the Jenkins community, is used by developers in their continuous integration and continuous development (CI/CD) and automates steps in the software development lifecycle, including development and deployment. The tool, supported by the likes of Amazon Web Services (AWS), GitHub and JFrog, has more than a million users.
Flaw Becomes Public, Gets Fixed
Yaniv Nizry, a vulnerability researcher with open-source software developer SonarSource, first reported on the security flaw in January, noting that with a market share of about 44%, “the popularity of Jenkins is evident. This means the potential impact of security vulnerabilities in Jenkins is large.”
A fix was issued in January with Jenkins 2.442, LTS 2.426.3 by disabling the command parser feature, with maintainers explaining that Jenkins comes with a built-in CLI for accessing Jenkins from a script or shell environment. It uses the args4j library to parse command arguments and options on the Jenkins controller when processing CLI commands.
“This command parser has a feature that replaces an @ character followed by a file path in an argument with the file’s contents (expandAtFiles),” the maintainers wrote. “This allows attackers to read arbitrary files on the Jenkins controller file system using the default character encoding of the Jenkins controller process.”
Cybercriminals Jump In
Proofs of concept (POCs) reportedly began emerging soon after Jenkins issued the fix. Trend Micro researchers reported in March that they were seeing multiple attacks exploiting the flaw, with 28 of 44 source IP addresses of the attacks coming from the Netherlands, with the others coming from such countries as Singapore and Germany. Most of the targets were in South Africa.
They also saw instances where RCE exploits were being traded.
Other researchers found more recent attacks leveraging the Jenkins vulnerability. CloudSEK in July reported a supply-chain attack on Born Group, an international customer experience agency and consultancy based in New York City, by the threat group IntelBroker, which specializes in data breaches, extortion and selling access to compromised systems.
The CloudSEK researchers said IntelBroker exploited CVE-2024-23897 to gain initial access via a vulnerable Jenkins server before gaining access to Born Group’s GitHub repository.
Ransomware Attack in India
Earlier this month, Juniper Threat Lab researchers wrote about a ransomware attack on Brontoo Technology Solutions, an IT services and consultancy in India that collaborates with C-Edge Technologies, a joint venture between Tata Consultancy Services and the State Bank of India. Juniper and CloudSEK attributed the attack to the RansomXXX ransomware group, which has been around since 2018, operates out of Russia or Eastern Europe, and targets government agencies, banks and healthcare organizations.
The attack disrupted retail payments to Indian banks. Again, the bad actors gained initial access to Brontoo’s IT environment via the Jenkins vulnerability.
“This vulnerability allows an unauthenticated user to read the first few lines of any files on the file system,” the researchers wrote. “It exists because the command parser’s built-in feature has not been disabled by default. If successfully exploited, this vulnerability can lead to the leakage of sensitive files and data, potential command execution and enable a ransomware attack.”