Jenkins Servers in Korea With Exposed Vulnerabilities (CVE-2024-23897, CVE-2024-43044)

Multiple vulnerabilities were announced for Jenkins, a widely used development tool, and some of them are being exploited in actual attacks. It was also found that most Jenkins servers in Korea were exposed to these vulnerabilities.

The CVE-2024-23897 vulnerability disclosed earlier this year allows unauthenticated users to read arbitrary files in the Jenkins server system. This vulnerability has a CVSS score of 9.8, indicating a very high level of risk. There was a report^[1] stating that this vulnerability is being exploited in actual attacks, and according to a global news organization, a certain enterprise suffered damages due to an attack exploiting this vulnerability.^[2] It is presumed that this vulnerability enables attacks on all Jenkins servers of this version.

The recently disclosed CVE-2024-43044 vulnerability also allows a threat actor with Agent access privileges to read arbitrary files from the server by exploiting specific functions of a core library. This vulnerability has a CVSS score of 8.8, indicating a high level of risk.  

Both vulnerabilities have publicly available Proof of Concept (PoC) codes on platforms such as GitHub and blogs, making them easy to find and potentially exploitable at any time, so caution is advised.

AhnLab SEcurity intelligence Center (ASEC) used its ASM service to identify the current status of threat exposure for its customers and investigated whether their Jenkins servers operating in Korea were exposed to the vulnerabilities. At the time, there was a total of 4,245 Jenkins servers that could be accessed from the outside, and version information was available for 3,972 of them. The investigation revealed that 2,824 (71%) servers were exposed to the high-risk CVE-2024-23897 vulnerability, and 3,969 (99.9%) were exposed to the comparatively new vulnerability, CVE-2024-43044. In short, a majority of the servers are operating with vulnerabilities exposed. (*As of Aug. 20th, 2024)

 

IP	Port	Domain	Jenkins Version
115.89.***.195	8080	*******.********.net	2.346.3
175.45.***.185	7979	***********.***.or.kr	2.375.1
211.62.***.72	9000	*****.********.com	2.319.2
116.125.***.22	9090	*****.co.kr	2.387.3
119.205.***.48	8110	********.or.kr	2.263.3

Table 1. Examples of identified vulnerable Jenkins servers

 

Figure 1. Current status of vulnerability exposures of Jenkins servers in Korea

 

CVE-2024-23897

Jenkins supports remote command interfaces. By transmitting commands and arguments from a remote location using the Jenkins-CLI tool, it can perform various functions. This vulnerability occurs during the CLI command analysis.

 

Figure 2. Upon executing Jenkins CLI

 

The Args4j library, used for command analysis, has a function (expandAtFiles) that reads the contents of a file specified by a string path following the ‘@’ identifier and sets them as arguments. If the input is not a valid argument for the command, an error occurs, and the error message exposes the string used as the argument, i.e., the contents of the file.

An analysis revealed that the commands that output the error messages used in the vulnerability are divided into ones that can read some lines and those that can read all lines. Commands that do not use arguments or use a limited number of arguments can read specific lines of a file, while commands without restrictions on the number of arguments can read all lines of a file. Additionally, the commands available depend on permissions, and the commands that can read all lines are only operational in certain configuration environments.

In environments with no specific configuration, only the following commands can be used with default permissions. These commands either do not need arguments or use a limited number of arguments.

 

Commands	Readable Lines
who-am-i	1
shutdown	1
safe-shutdown	1
restart	1
keep-build	3
help	1, 2
enable-job	2
disable-job	2

Table 2. Commands that can be used without permission

 

With default permissions, only certain lines can be exfiltrated from files using the vulnerability. However, key files with no line separators such as SSH Key and Jenkins encryption key could have their entire content outputted.

 

Figure 3. Example of using commands that can read a portion of a file

 

In certain settings, it is possible to execute commands that use multiple arguments. If any of the configuration below is set, all the lines within a file can be read using the vulnerability.

–         When the anonymous access feature is enabled

–         When read permissions are granted to all users

–         When user registration is allowed

–         When Legacy mode is enabled

 

Figure 4. Jenkins configurations related to the vulnerability

 

Below are the commands that can read the entire file content in specific environments as mentioned above.

 

Commands

connect-node

delete-job

delete-node

delete-view

disconnect-node

offline-node

online-node

reload-job

Table 3. Commands that can read entire files

 

Figure 5. Example of using commands that can read entire files

 

There are multiple PoC codes available on public websites, and even without these codes, the vulnerability can be exploited immediately by anyone using the CLI access tool included by default in the Jenkins package. Users of the affected version are strongly advised to patch to a mitigated version as soon as possible.

 

CVE-2024-43044

This vulnerability occurs in the Remoting library, which is installed by default when installing Jenkins. Although the library itself is installed by default, Agent must be registered to Jenkins and the threat actor must have Agent access permissions to use the vulnerability. 

The library provides a communication function between Jenkins servers and the Agent, and includes the function that allows the execution of JAVA classes requested by the Agent on the server. Although this function seems to have been put in place to execute JAR files from server URLs, users can read arbitrary files within the server system and send them to the Agent because it does not verify the file path or type. This vulnerability allows directory listing and arbitrary file reading.

Upon analysis, it was discovered that the vulnerability could be triggered by adding a code to a certain method of the RemoteClassLoader class. If the file path is a directory, the response will contain the directory listing; if it is a file, the response will include the entire file content.

 

Figure 6. The original Remoting.jar RemoteClassLoader code

 

Since the “file://” path is allowed in the request URL, if the specified path is a directory, the list of files within that directory is sent to the Agent. If the path is a file, the entire content of the file is transmitted to the Agent.

 

Figure 7. Example of listing directories and reading files using the vulnerability

 

This vulnerability is also described as high-risk, and the manufacturer provides a patch program that disables the use of the problematic fetchJar method in case the update cannot be applied.^[3] 

 

As the vulnerability can be triggered easily and has the potential to leak the content of important files within servers, victims will suffer great damage if it is exploited. Continuing to use the vulnerable version can increase the risk of exposure, so it is crucial to apply the latest patch to prevent damage. 

The threat actor also attempts attacks exploiting other known vulnerabilities of popular products. Therefore, users should update any services they are using to the latest versions and enable various security settings to defend against vulnerability scans and attacks by threat actors. Users are also advised to regularly check security advisories from various sources to see if any of the services in use are mentioned, and if so, scan for any damages while also taking immediate action.

ASEC posts security advisories on major vulnerabilities through its blog and provides tailored reports to AhnLab TIP service clients if it is confirmed that they are operating services affected by the vulnerabilities. This ATIP service ensures that the vulnerability information of AhnLab’s clients is not exposed externally and is delivered only to the relevant clients confidentially, allowing them to operate their services securely.

 

Related Links

[1] https://www.cisa.gov/known-exploited-vulnerabilities-catalog

[2] https://www.cybersecuritydive.com/news/jenkins-critical-cve-exploits-cisa/724729/

[3] https://github.com/jenkinsci-cert/SECURITY-3430

 

Security Advisories

[Security Advisory] Jenkins Security Update Advisory (CVE-2024-43044)
https://asec.ahnlab.com/ko/82339/ (This link is only available in Korean for now.)

[Security Advisory] Jenkins Security Update Advisory for Jan 2024 (CVE-2024-23897)
https://asec.ahnlab.com/ko/79332/ (This link is only available in Korean for now.)