Post

CVE-2024-23897 - Jenkins - Arbitrary file read vulnerability with RCE potential

Overview

CVE-2024-23897 is an unauthenticated arbitrary file read vulnerability that can lead to RCE under some circumstances.

Vulnerable versions:

  • Jenkins: up to 2.441 (including)
  • Jenkins LTS: up to 2.426.2 (including)

The root cause of the vulnerability lies with the args4j library used to parse Jenkins-CLI command arguments. This parser has a feature that replaces @ character followed by a file path with the contents of the file when used as a command argument. In the example below, each line of the /etc/passwd would be read and fed back to the who-am-i command an argument. As the contents of the file are not proper command arguments, CLI throws exceptions that include the offending lines thus resulting in information disclosure.

1
java -jar jenkins-cli.jar -s <Jenkins URL> who-am-i @/etc/passwd

Vulnerability exploitation example Screenshot from a Rangeforce module

Read limitations

There is a catch. The Amount of disclosed lines depend on the amount of arguments the Jenkins-CLI command supports. As seen in the image above, only the first line of /etc/passwd was disclosed. That’s because the who-am-i Jenkins-CLI command does not accept any arguments. A CLI command that supports unlimited amount of arguments would allow reading unlimited amount of lines from an arbitrary file. However, in practice, unauthenticated adversaries are limited to reading only the first couple of lines **with the default Jenkins authorization settings.

Jenkins command for more lines

Sonar’s Vulnerability Research Team, the team that discovered the vulnerability, have identified the CLI command that allows reading arbitrary amount of lines from a file. connect-node is the Jenkins command that is normally used to connect Jenkins controller to nodes. It accepts a list of strings and attempts to connect to them, thus can be used to displaying the whole file.

Vulnerability exploitation example Screenshot from a Rangeforce module

Unauthenticated read permissions.

There is a catch, yet again. connect-node requires read access on the Jenkins instance. With the default authorization settings that are configured during Jenkins installation, unauthenticated users don’t have read access. Unauthenticated adversary gains read access if the authorization method is set to:

  • Anyone can do anything
  • Legacy mode
  • Logged-in users can do anything if Allow users to sign-up or Allow anonymous read access is enabled.

An authenticated adversary can read whole files if the authorization method is set to one of the above. The read permission is limited to the OS user Jenkins is running under.

Remote code execution

Currently discovered methods of reaching RCE depend highly on the adversary’s ability to read/recreate Jenkins binary files. Exfiltrating binary files is challenging as the Jenkins-CLI will convert and return them as text. During this conversion, binary characters outside the character encoding set of the Jenkins instance will be replaced with a placeholder for an illegal value. Per the Jenkins advisory roughly half of the bytes of the exfiltrated binary file from a Linux host will be mangled. With Windows on the other hand, only 5 out of 256 possible characters are illegal. This is due to the encoding sets on these respective operating systems (UTF8 vs Windows-1252). Long story short, recreating Jenkins binary files exfiltrated from a Windows host would be much easier than from a Linux host.

Horizon3 has created a nice risk matrix regarding reaching RCE that you can read in their blog post.

Remediation/Mitigation

Vulnerability was remediated by Jenkins and a patch is available. Jenkins users are highly advised to patch as soon as possible. Patched versions:

  • Jenkins: 2.442
  • Jenkins LTS: 2.426.3

The command parser feature (@<file_path>) was disabled in the patched versions.

In case immediate patching is not possible, users are advised to disable CLI access to the Jenkins instance as a mitigation technique.

This post is licensed under CC BY 4.0 by the author.