Multiple proof-of-concept exploits for a critical Jenkins vulnerability allowing unauthenticated attackers to read arbitrary files have been made publicly available, with some researchers reporting attackers actively exploiting the flaws in attacks.
Jenkins is an open-source automation server widely used in software development, particularly for Continuous Integration and Continuous Deployment.
It plays a critical role in automating various parts of the software development process, like building, testing, and deploying applications.
SonarSource researchers discovered two flaws in Jenkins that could enable attacks to access data in vulnerable servers and execute arbitrary CLI commands under certain conditions.
The first flaw, rated critical, is CVE-2024-23897, allowing unauthenticated attackers with 'overall/read' permission to read data from arbitrary files on the Jenkins server.
Attackers without this permission can still read the first few lines of files, with the number depending on the available CLI commands.
Sonar explained that exploitation of the particular flaw could lead to admin privilege escalation and arbitrary remote code execution.
This step depends on certain conditions that must be met, which are different for each attack variant.
The second flaw, tracked as CVE-2024-23898, is a cross-site WebSocket hijacking issue where attackers could execute arbitrary CLI commands by tricking a user into clicking a malicious link.
This risk that arises from this bug should be mitigated by existing protective policies in web browsers, but it persists due to the lack of universal enforcement of these policies.
SonarSource reported the flaws to the Jenkins security team on November 13, 2023, and helped verify the fixes in the following months.
On January 24, 2024, Jenkins released fixes for the two flaws with versions 2.442 and LTS 2.426.3, and published an advisory that shares various attack scenarios and exploitation pathways, as well as fix descriptions and possible workarounds for those unable to apply the security updates.
With abundant information about the Jenkins flaws now available, many researchers reproduced some of the attack scenarios and created working PoC exploits published on GitHub.
The PoCs are for CVE-2024-23897, which gives attackers remote code execution on unpatched Jenkins servers.
Many of these PoCs have already been validated, so attackers scanning for exposed servers can grab the scripts and try them out with minimal or no modification.
Some researchers report that their Jenkins honeypots have already caught activity in the wild, suggesting that hackers have started exploiting the vulnerabilities.
Hackers are exploiting critical Apache Struts flaw using public PoC. Citrix Bleed exploit lets hackers hijack NetScaler accounts.
VMware confirms critical vCenter flaw now exploited in attacks.
Citrix warns of new Netscaler zero-days exploited in attacks.
Sophos backports RCE fix after attacks on unsupported firewalls.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Sun, 28 Jan 2024 17:15:25 +0000