Threat Research

Security Insights: Jenkins CVE-2024-23897 RCE | Splunk

Securonix

Two sentences summarizing the content: The article discusses CVE-2024-23897, a critical Jenkins vulnerability up to version 2.441 that allows unauthenticated reading of files from the Jenkins controller filesystem via a crafted CLI payload. It also covers Splunk’s security analytics, hunting queries, and guidance for logging Jenkins activity and deploying reverse proxies to defend CI/CD pipelines. #CVE-2024-23897 #Jenkins

Keypoints

  • CVE-2024-23897 enables reading arbitrary files from the Jenkins controller filesystem without authentication, affecting Jenkins versions up to 2.441.
  • The exploit leverages a flaw in Jenkins’ CLI command parser where an ‘@’ character followed by a file path is treated as a directive to insert the file contents into the command.
  • Proof-of-concept PoCs were released quickly on GitHub (e.g., binganao/CVE-2024-23897 and h4x0r-dz/CVE-2024-23897) along with a Nuclei template.
  • The attack flow involves an upload request with a crafted payload to trigger the read, followed by a download request to retrieve the file contents.
  • Splunk’s security analytics provide queries to detect exploitation (e.g., monitoring POST requests to /cli?remoting=false with 200 OK) and guidance on logging Jenkins activity.
  • Defensive recommendations include capturing Jenkins logs in Splunk and using a reverse proxy to secure traffic to Jenkins servers.
  • Splunk shares hunting queries and a set of atomic indicators (IPs) to help defenders detect exploitation attempts in real environments.

MITRE Techniques

  • [T1105] Ingress Tool Transfer – The attacker uploads a crafted payload to the Jenkins server via an upload request to deliver the exploit. “[The script first sends an upload request with a specially crafted payload. This payload instructs Jenkins to read an arbitrary file from the server’s file system.]”
  • [T1005] Data from Local System – The exploit reads arbitrary files from the Jenkins controller’s filesystem and returns their contents in the response, e.g., reading /etc/passwd. “The payload is a binary sequence that includes a command to read a specific file (designated in the script by the file src argument). For example, if the attacker wants to read /etc/passwd, the binary data after the command help will include @/etc/passwd.”
  • [T1059] Command and Scripting Interpreter – The payload includes a command field (e.g., “Command (‘help’)”) and a file path, showing how the CLI interprets embedded commands. “The payload structure is as follows (in a simplified representation): [Command Length][Command (‘help’)][File Path Length][File Path (‘@/etc/passwd’)][Other Parameters]”

Indicators of Compromise

  • [IP Addresses] – 13.212.202.12, 159.65.248.14, and other addresses (if applicable)
  • [Domains] – github.com, splunk.com
  • [URLs] – https://github.com/binganao/CVE-2024-23897, https://github.com/h4x0r-dz/CVE-2024-23897
  • [File Paths] – /etc/passwd, /var/jenkins_home/secrets/initialAdminPassword

Read more: https://www.splunk.com/en_us/blog/security/security-insights-jenkins-cve-2024-23897-rce.html

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint