Security
Headlines
HeadlinesLatestCVEs

Headline

Excessive Expansion Vulnerabilities Leave Jenkins Servers Open to Attacks

By Deeba Ahmed The vulnerabilities stem from the way Jenkins handles user-supplied data. This is a post from HackRead.com Read the original post: Excessive Expansion Vulnerabilities Leave Jenkins Servers Open to Attacks

HackRead
#csrf#vulnerability#web#windows#git#auth#zero_day#firefox

The Jenkins Security team was notified of the reported issues in November 2023, which were confirmed and fixed by the vendor the same month and fixed in January 2024.

Sonar’s Vulnerability Research Team has discovered security vulnerabilities in Jenkins, an open-source CI/CD software. These vulnerabilities, which the company refers to as ‘Excessive Expansion,’ allow unauthorized attackers to read and execute arbitrary code on the server, potentially escalating privileges to admins.

For your information, Jenkins is a popular automation server used to automate the software development lifecycle, with a market share of 44% in 2023. The potential impact of security vulnerabilities on end-users is, therefore, significant.

Two vulnerabilities were identified in Jenkins software tracked as CVE-2024-23897 and CVE-2024-23898. The first leverages the “expandAtFiles” functionality to allow arbitrary file reading and code execution, and the second allows arbitrary command execution by manipulating users to visit malicious links.

The vulnerabilities stem from the way Jenkins handles user-supplied data. CVE-2024-23897 allows unauthorized adversaries with “overall/read” permission to read arbitrary files on the Jenkins controller file system. However, even without these permissions, they can read the first few lines of files due to the built-in command line interface (CLI) that uses the args4j library to parse command arguments and options on the Jenkins controller.

This allows attackers to expand arguments from a file on the Jenkins instance and potentially leak file contents. The default character encoding allows attackers with Overall/Read permission to read entire files, and those without the permission can read the first few lines. Unfortunately, this feature is enabled by default, and disabling it isn’t an option in Jenkins 2.441 and LTS 2.426.2 or earlier versions.

Unauthenticated attackers can access the system with Read permission if they meet certain conditions, including enabling legacy mode authorization, signup feature, and “Allow anonymous read access” configuration. This allows users to access the basic Jenkins API, object APIs, people directory, and agents, while administrators can access everything on a Jenkins instance. Researchers successfully read files without plugins, but couldn’t identify plugins that can increase line count.

CVE-2024-23898 is a high-severity, cross-site WebSocket hijacking (CSWSH) vulnerability, which allows attackers to execute CLI commands by manipulating victims to click on links. Modern web browsers, like Safari and Firefox, have a “lax by default” policy to protect against a vulnerability but it isn’t strictly enforced.

Due to potential bypass techniques and outdated browsers, this vulnerability is assigned a High severity classification. Browsers don’t enforce SOP and CORS policies on WebSockets, as they work over WS(WebSocket) or WSS(WebSocketSecure) protocols. WebSockets can be used by any website to invoke Jenkins-CLI commands with the victim’s identity, similar to CSRF vulnerabilities without Jenkins-crumb or Origin header check.

The Jenkins Security team was notified of the reported issues in November 2023, which were confirmed and fixed by the vendor the same month and fixed in January 2024. The vendor fixed CVE-2024-23897 and CVE-2024-23898 by enabling secure configuration and origin verification for WebSocket endpoints, allowing administrators to override the default behaviour. Developers/users must immediately apply patches released in Jenkins versions 2.442 and LTS 2.426.3.

For insights, we reached out to John Gallagher, Vice President of Viakoo Labs at Viakoo who stated that “The urgency behind users patching their Jenkins servers immediately is driven by POC exploits already being published on GitHub, and the severity level is extremely high.”

“With this CVE, agile development teams using Jenkins are ideal vehicles for introducing and spreading vulnerabilities; that’s the real risk here. If successful, threat actors could use this exploit to infect many independent software distributions,” John explained.

“As with many open-source projects, patching is difficult because the size of teams using it tends to be small, their time pressure being agile is great, and there may be a false belief that other layers of security will offer protection. Having an accurate application inventory and automated patching solutions will reduce the time that threat actors can exploit this CVE,” he warned.

  1. Ivanti VPN Zero-Day Flaws Fuel Widespread Cyber Attacks
  2. Hackers can hijack your Bosch Thermostat and Install Malware
  3. Critical “PixieFail” Flaws Expose Millions of Devices to Cyberattacks
  4. TeamViewer Exploited to Obtain Remote Access, Deploy Ransomware
  5. Windows Defender SmartScreen Flaw Exploited with Phemedrone Stealer

Related news

CISA Warns of Critical Jenkins Vulnerability Exploited in Ransomware Attacks

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical security flaw impacting Jenkins to its Known Exploited Vulnerabilities (KEV) catalog, following its exploitation in ransomware attacks. The vulnerability, tracked as CVE-2024-23897 (CVSS score: 9.8), is a path traversal flaw that could lead to code execution. "Jenkins Command Line Interface (CLI) contains a

Jenkins 2.441 Local File Inclusion

Jenkins version 2.441 suffers from a local file inclusion vulnerability.

Red Hat Security Advisory 2024-0778-03

Red Hat Security Advisory 2024-0778-03 - An update for Jenkins and Jenkins-2-plugins is now available for OpenShift Developer Tools and Services for OCP 4.12. Issues addressed include bypass, code execution, cross site request forgery, cross site scripting, denial of service, improper authorization, information leakage, insecure permissions, and open redirection vulnerabilities.

Red Hat Security Advisory 2024-0776-03

Red Hat Security Advisory 2024-0776-03 - An update for jenkins and jenkins-2-plugins is now available for OpenShift Developer Tools and Services for OCP 4.13. Issues addressed include bypass, code execution, cross site scripting, and denial of service vulnerabilities.

Red Hat Security Advisory 2024-0775-03

Red Hat Security Advisory 2024-0775-03 - An update for jenkins and jenkins-2-plugins is now available for OpenShift Developer Tools and Services for OCP 4.11. Issues addressed include bypass, code execution, cross site scripting, deserialization, information leakage, and insecure permissions vulnerabilities.

Critical Jenkins Vulnerability Exposes Servers to RCE Attacks - Patch ASAP!

The maintainers of the open-source continuous integration/continuous delivery and deployment (CI/CD) automation software Jenkins have resolved nine security flaws, including a critical bug that, if successfully exploited, could result in remote code execution (RCE). The issue, assigned the CVE identifier CVE-2024-23897, has been described as an arbitrary file read vulnerability through the

GHSA-53ph-2r2x-vqw8: Cross-site WebSocket hijacking vulnerability in the Jenkins CLI

Jenkins has a built-in command line interface (CLI) to access Jenkins from a script or shell environment. Since Jenkins 2.217 and LTS 2.222.1, one of the ways to communicate with the CLI is through a WebSocket endpoint. This endpoint relies on the default Jenkins web request authentication functionality, like HTTP Basic authentication with API tokens, or session cookies. This endpoint is enabled when running on a version of Jetty for which Jenkins supports WebSockets. This is the case when using the provided native installers, packages, or the Docker containers, as well as when running Jenkins with the command java -jar jenkins.war. Jenkins 2.217 through 2.441 (both inclusive), LTS 2.222.1 through 2.426.2 (both inclusive) does not perform origin validation of requests made through the CLI WebSocket endpoint, resulting in a cross-site WebSocket hijacking (CSWSH) vulnerability.

GHSA-6f9g-cxwr-q5jr: Arbitrary file read vulnerability through the Jenkins CLI can lead to RCE

Jenkins has a built-in command line interface (CLI) to access Jenkins from a script or shell environment. Jenkins uses the args4j library to parse command arguments and options on the Jenkins controller when processing CLI commands. This command parser has a feature that replaces an @ character followed by a file path in an argument with the file’s contents (expandAtFiles). This feature is enabled by default and Jenkins 2.441 and earlier, LTS 2.426.2 and earlier does not disable it. This allows attackers to read arbitrary files on the Jenkins controller file system using the default character encoding of the Jenkins controller process. * Attackers with Overall/Read permission can read entire files. * Attackers without Overall/Read permission can read the first few lines of files. The number of lines that can be read depends on available CLI commands. As of publication of this advisory, the Jenkins security team has found ways to read the first three lines of files in recent relea...

HackRead: Latest News

Hackers Leak 300,000 MIT Technology Review Magazine User Records