VTA-004472 – Critical Jenkins Vulnerability Exposes Servers to RCE Attacks

Jenkins is a Java-based open-source automation platform with plugins designed for continuous integration. It is used to continually create and test software projects, making it easier for developers and DevOps engineers to integrate changes to the project and for consumers to get a new build.

There were several security flaws pertaining to Jenkins in which were patched and fixed in the latest update. The first critical vulnerability that was pathed is the arbitrary file read vulnerability through the CLI. This vulnerability allowed attackers to read arbitrary files on the Jenkins controller file system using the default character encoding of the Jenkins controller process.

The next seen vulnerability was a cross-site web socket that was hijacking vulnerabilities in the CLI. Jenkins has a built in CLI that can can be accessed from a script shell environment. Using this, attackers were able to gain access to the endpoint in which was running Jenkins.

Another patch update was for the arbitrary read vulnerability in Git server plugin. Git server Plugin uses the argsj4j to parse command arguments and options on the Jenkins controller when processing Git commands received via SSH. This allows attackers with Overall/Read permission to read the first two lines of arbitrary files on the Jenkins controller file system using the default character encoding of the Jenkins controller process.

A vulnerability in GitLab source plugin has been found. This vulnerability allows attackers to connect to an attacker-specified URL.

As a short-term workaround until the patch can be applied, it’s recommended to turn off access to the CLI.

Severity:
High

Attack Surfaces:
Cloud Service, Endpoint, Endpoint OS, Server OS

Tactics:
Execution, Impact, Privilege Escalation, Reconnaissance

Technique:
T1059 Command and Scripting Interpreter
T1609 Container Administration Command
T1569 System Services
T1134 Access Token Manipulation
T1595 Active Scanning
T1499 Endpoint Denial of Service

References:
https://www.jenkins.io/security/advisory/2024-01-24/

SuperPRO’s Threat Countermeasures Procedures: 
1. Keep all software and systems up to date with the latest patches and updates to minimize the risk of exploitation.
2. Provide cybersecurity awareness training to employees to educate them about the risks of phishing attacks and social engineering techniques.
3. Regularly backup critical data and ensure that backups are stored securely.
4. Employ strong security measures such as firewalls, intrusion detection systems, and antivirus software to detect and prevent unauthorized access and malware infections.
5. Divide your network into smaller, isolated segments, each with its own set of security controls. This helps to contain the impact of a potential breach and limits an attacker’s ability to move laterally.
6. Follow least privilege access in granting access only to the resources and systems that are necessary for each user or system.
7. Deploy security tools such as SIEM (Security Information and Event Management) to detect and analyze network traffic.
8. Enforce strong access controls, including multi-factor authentication and strong passwords, to prevent unauthorized access to systems and resources.
9. Regularly perform penetration testing to identify any vulnerabilities or weaknesses in your network.

Contributed by: Keevan