Initiatives for
As the national authority for Cybersecurity the CCB has developed several initiatives for specific publics which are presented here.
WARNING: CRITICAL VULNERABILITY IN JENKINS IS ACTIVELY EXPLOITED BY RANSOMWARE GROUPS TO ACHIEVE REMOTE CODE EXECUTION. PATCH IMMEDIATELY!
Image
Published : 21/08/2024
Reference:
Advisory #2024-206
Version:
1.1
Affected software:
Jenkins 2.441 and earlier versions
Jenkins LTS 2.426.2 and earlier versions
Type:
Remote code execution
CVE/CVSS:
CVE-2024-23897
CVSS 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Sources
Risks
On 24 January 2024, Jenkins published a security advisory addressing a critical vulnerability in its command line interface (CLI). This vulnerability comes from a specific feature in the command parser, which is enabled by default in Jenkins 2.441 and earlier versions; LTS 2.426.2 and earlier does not disable it either.
Jenkins highlights how instances on Windows are more likely than not to use a character set that makes it feasible to implement exploits involving reading binary files. It is important to stress that the flaw can also be found on other operating systems including Linux and Mac OS X.
This vulnerability is currently under active exploitation, notably by ransomware groups.
Exploitation of this vulnerability can have a high impact on confidentiality, integrity and availability.
Description
CVE-2024-23897 is an arbitrary file read vulnerability affecting Jenkins’s command line interface. Jenkins uses a command parser with a specific feature that is enabled by default. This feature allows attackers to read arbitrary files on the Jenkins controller file system using the default character encoding of the Jenkins controller process.
The degree to which attackers can read files depends on their Overall/Read permission:
- Attackers with Overall/Read permission can read entire files.
- Attackers without Overall/Read permission can read the first few lines of files.
Binary files containing cryptographic keys used for various Jenkins features can also be read. Attacks exploit the attackers’ ability to obtain cryptographic keys from binary files to achieve remote code execution in various ways, decrypt stored secrets, delete items and download a Java heap dump.
Recommended Actions
Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices, after thorough testing.
Jenkins patched the vulnerability in patch versions Jenkins 2.442, LTS 2.426.3 and LTS 2.440.1.
NOTE: As this an advisory on an old vulnerability that is now exploited, new versions of Jenkins have been released since. Please update your Jenkins to version 2.471, LTS 2.452.4 or LTS 2.462.1, to avoid subsequent vulnerabilities.
Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.
In case of an intrusion, you can report an incident via: https://ccb.belgium.be/cert/report-incident
While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.