45k Jenkins servers exposed globally due to CVE-2024-23897 (CVSS 9.8) vulnerability 

45k Jenkins servers exposed globally due to CVE-2024-23897 (CVSS 9.8) vulnerability 

Overview 

More than 45000 Jenkins servers are exposed due to a security vulnerability CVE-2024-23897 which has been assigned a critical CVSS score of 9.8. 

It has a global impact on businesses with instances of Jenkins servers exposed to the security vulnerability with 15806 instances exposed from the US, 11955 instances exposed in China, 3572 in India, 2204 in the Republic of Korea, 1482 in France, and 1179 in the UK. 

Exploits were first made public on 26 January with fixes through versions 2.442 and LTS 2.426.3 for file read problems. Security experts are currently working on effective patches for this vulnerability. 

Jenkins is a renowned open-source automation server for Continuous Integration and Continuous Development (CI/CD). It eases building, testing, and deployment processes for developers with extensive plugin support for organizations of varied sizes. 

Technical Dissection 

Through the exploitation of this vulnerability, attackers can execute arbitrary command line interface (CLI) commands, giving them access to arbitrary files on the file system of a Jenkin controller.  

The security vulnerability emerged due to the CLI feature automatically replacing the ‘@’ character succeeding with the file path along with the contents of the files.  What makes it dangerous is that it is a default feature on the Jenkins controller file system. Attackers can gain access to any file or the first few lines of a file.  

They can even access entire files. Currently, there are multiple active exploits. It may increase the possibility of Remote Code Execution attacks through effective manipulation of Resource Root URLs, leading to exposure of sensitive data of different types, including SSH Keys, Credentials, Source Codes, Build Artifacts, and Binary Secrets. 

Additionally, attackers can decrypt, delete items including secrets, and download Java heap dumps.

SharkStriker’s recommendations and implemented measures 

We highly recommend that CLI be disabled in case of failure to apply patches. It prevents the attackers from completely exploiting Jenkins without needing to restart it.  

Admins should perform a check whether three key configurations are enabled to prevent unauthenticated users from getting read permissions. Disable the “Allow anonymous read access” setting with authorization mode.   

Also, disable “Logged-in-users can do anything” as it enables attackers to read files anytime, they want. It is also recommended that “Allow users to sign up” be disabled to prevent unauthorized parties from creating new accounts.” 

For learning more about the vulnerability you can read the official advisory by Jenkins here.  

The following are some of the general measures that we have implemented to ensure the security of all our clients and partners: 

• We implemented continuous monitoring of the IT infrastructure. It proactively detects and responds to suspicious activities and threats. 
• We have analyzed and treated all the vulnerabilities with Indicators of Compromise provided by CISA before any operational disruption caused by a cyber-attack.  
• For early detection and quick & precise response to the threats, we have configured their detection mechanisms with the best practices.     
• Through our STRIEGO’s dashboards, our customers can easily check the status of their cybersecurity posture.