CVE-2024-23897 Detection: A Critical Jenkins RCE Vulnerability Poses Growing Risks with PoC Exploits Released
Table of contents:
Hot on the heels of the critical CVE-2024-0204 vulnerability disclosure in Fortra’s GoAnywhere MFT software, another critical flaw arrests the attention of cyber defenders. Recently, Jenkins developers have addressed nine security bugs affecting the open-source automation server, including a critical vulnerability tracked as CVE-2024-23897 that can lead to RCE upon its successful exploitation. With PoCs publicly available, there are growing risks of CVE-2024-23897 exploitation in a wide range of attacks targeting unpatched Jenkins servers.
Detect CVE-2024-23897 Exploitation Attempts
Increasing volumes of attacks weaponizing critical security flaws affecting popular open-source software cases emphasize the urgency of promptly addressing these issues by defenders. SOC Prime Platform for collective cyber defense is constantly keeping abreast of industry trends to help security engineers be timely equipped with defensive capabilities. Resonating with the disclosure of a novel Jenkins data leak vulnerability known as CVE-2024-23897 that gives attackers the green light to read arbitrary files on the Jenkins controller file system and gain RCE, the SOC Prime Team has promptly released relevant detection algorithms available from the Threat Detection Marketplace content repo via links below. Both rules detect potential CVE-2024-23897 exploitation attempts based on a publicly available POC exploit code. The detection code is mapped to MITRE ATT&CK® and can be automatically translated into dozens of SIEM, EDR, XDR, and Data Lake language formats.
Possible CVE-2024-23897 (Jenkins Data Leak Vulnerability) Exploitation Attempt (via proxy)
This detection algorithm addresses the Lateral Movement ATT&CK tactic and the Exploitation of Remote Services (T1210) technique.
Possible CVE-2024-23897 (Jenkins Data Leak Vulnerability) Exploitation Attempt (via webserver)
As for the ATT&CK context, the above-referenced rule addresses the Initial Access tactic and the Exploit Public-Facing Application (T1190) used as the main technique.
As proactive vulnerability detection remains one of the top SOC content needs, progressive organizations are constantly looking for ways to accelerate their threat detection and hunting velocity. Click the Explore Detections button to obtain ready-to-deploy vendor-agnostic detection algorithms for critical CVEs enriched with actionable metadata that enable defenders to keep up with the evolving cyber threat landscape.
CVE-2024-23897 Analysis
The discovery of a new critical RCE flaw tracked as CVE-2024-23897 and impacting the popular Jenkins open-source automation tool for CI/CD hits the headlines. A public release of several CVE-2024-23897 PoC exploits on GitHub largely escalates the risks. Moreover, some researchers have reported exploitation attempts leveraging the flaw in in-the-wild attacks.
According to a recent advisory, Jenkins leverages the args4j library for parsing command arguments and options on the Jenkins controller while handling CLI commands. The advisory highlights a feature in the command parser that, by default, replaces a @character followed by a file path in an argument with the contents of the “expandAtFiles” file.
The identified vulnerability enables attackers to access arbitrary files on the Jenkins controller file system by leveraging the default character encoding of the Jenkins controller process. CVE-2024-23897 impacts Jenkins versions 2.441 and earlier, as well as LTS versions before 2.426.2.
Adversaries with the “Overall/Read” permission can access and read entire files, while those lacking these privileges can only read the initial three lines of files, depending on the available CLI commands. The vulnerability might also be weaponized to access binary files that contain cryptographic keys, however, under specific limitations. In addition to adversary capabilities to read the contents of all files with known file paths, CVE-2024-23897 exploitation can also lead to a series of different RCE attacks stemming from acquired access to cryptographic keys from binary files.
To minimize the risks, software users are recommended to upgrade to Jenkins 2.442 and LTS 2.426.3 versions, in which the command parser feature has been disabled. The Jenkins security team advises admins who are unable to immediately update to the above-mentioned software versions introducing the fix to disable access to CLI as a temporary CVE-2024-23897 mitigation step. Applying this workaround does not require a Jenkins restart.
The increasing sophistication and an exponential rise in attack volumes require ultra-responsiveness from defenders backed by innovative technologies and collective cyber defense. Get started with Uncoder IO, an open-source IDE for Detection Engineering, to help you write faster and better detection code against emerging threats, streamline IOC matching, and translate rules into multiple cybersecurity languages on the fly. Contribute to Uncoder on GitHub to help us evolve the project and foster industry collaboration at scale.