Last Wednesday, on January 24, 2024, the Jenkins team issued a security advisory disclosing a critical vulnerability, CVE-2024-23897, affecting the Jenkins CI/CD tool.
This advisory set off alarm bells among the infosec community because the potential impact is huge: Jenkins is widely deployed, with tens of thousands of public-facing installs, and the Jenkins advisory was clear that this vulnerability could lead to remote code execution.
Jenkins is a common target for attackers, and, as of this writing, there are four prior Jenkins-related vulnerabilities in CISA's catalog of Known Exploited Vulnerabilities.
Our advice for users of Jenkins is don't panic unless you need to.
The typical Jenkins install will not be exploitable by unauthenticated attackers.
CVE-2023-23897 resides in the Jenkins CLI, an alternative way for users to interact with Jenkins without going through web interface.
An unauthenticated attacker with no permissions can leak the first couple of lines of arbitrary text files on a vulnerable Jenkins server.
There are two dangerous Jenkins configuration options that allow unauthenticated attackers to effectively act like authenticated attackers.
Binary files can also be read but the Jenkins server will try to convert them into text, using the default character encoding set defined for the Jenkins server.
According to the Jenkins advisory, if Jenkins is running on Linux, where the default character encoding set is UTF-8, on average half the characters in binary files will end up being mangled.
If Jenkins is running on Windows, where the default character encoding set is Windows 1252, a much smaller percentage of the characters would be mangled on average.
Secret file is a small binary file that contains an encrypted key used to encrypt other secrets.
Risk Matrix Jenkins Server Running on Linux Jenkins Server Running on Windows Attacker has no permissions Risk: Low Risk: Moderate Can only read the first few lines of arbitrary text files.
Binary files can't be read. The Jenkins master.
If it's possible to read secrets stored in binary files, an attacker can dump all credentials stored in Jenkins.
Cred dumping only requires three files from the Jenkins server: the master.
This is the score we'd expect for typical Jenkins installs that haven't been patched for this vulnerability but are using default configuration options and are running on Linux.
Finally, it's not always possible to exploit this vulnerability, particularly if the Jenkins server is running behind a reverse proxy.
Updating to at least Jenkins versions 2.442 and 2.426.3 will address this vulnerability.
The post CVE-2024-23897: Assessing the Impact of the Jenkins Arbitrary File Leak Vulnerability appeared first on Horizon3.
This Cyber News was published on securityboulevard.com. Publication date: Mon, 29 Jan 2024 20:43:03 +0000