Introduction

On August 19th, CISA added a new vulnerability to its catalog of Known Exploited Vulnerabilities (KEV). Being tracked as CVE-2024-23897 with a 9.8 CVSS score, this vulnerability can be used to enable remote code execution (RCE) and data theft and affects Jenkins open-source CICD automation server. This is a file read vulnerability affecting versions prior to Jenkins 2.441 and LTS 2.426.2. The vulnerability, located in the args4j library used for parsing command arguments in the Jenkins Controller Command-Line Interface (CLI), enables unauthenticated users to read portions of files on the file system.

The vulnerability is related to the ‘expandAtFiles’ feature, where an ‘@’ character followed by a file path in an argument gets replaced with the file’s content. It poses a critical security risk with potential for remote code execution (RCE). The attack vector is ‘Arbitrary File Read’, allowing attackers to read arbitrary files using the default character encoding of the controller process.

It was first discovered and patched in January 2024.

CVE-2024-23897 – A Brief History 

Japanese Security giant Trend Micro says the exploit was first noted in the wild in March 2024 stating “Our analysis found several attack instances originating from various regions, with the majority of the source IP addresses of the attacks originating from the Netherlands, as per Shadowserver data. Meanwhile, most of the targets were from South Africa.” At the time, they also reported that they had identified groups selling and trading the exploit in exchange for BTC.

More recently, CloudSEK released a report stating that the global firm BORN group was the apparent victim of a supply chain attack that exfiltrated data from multiple client accounts using this vulnerability. This is still under investigation but it appears as though it was the work of a group known as Intelbroker, known for targeting high-profile governments, companies, and organizations.

And now, in mid-August, Juniper Networks disclosed that Ransomware gang RansomEXX had leveraged the vulnerability to enter the networks at India’s Brontoo Technology solutions. The attack which took place in July 2024 impacted payment technologies across India. According to Juniper’s report, Brontoo is a “collaborator with C-Edge Technologies, which is a joint venture between TCS (Tata Consultancy Services) and SBI (State Bank of India), was impacted by a ransomware attack, according to NPCI (National Payment Corporation of India). C-Edge primarily provides technology services to cooperative and regional rural banks.” 

Think You May be Affected by CVE-2024-23897? Here’s What to do:

if you suspect you may be using an impacted version of Jenkins:

• Verify whether your system is affected by checking the Jenkins version. The vulnerable versions include those earlier than Jenkins 2.441 and LTS 2.426.2. This step is crucial in understanding the extent of exposure to potential security risks.

• It is highly recommended to update your Jenkins installations to the latest version available. Updating to a patched version that addresses the vulnerability is an essential measure to safeguard the system against potential exploitation.

• As a temporary mitigation measure, users can choose to disable access to the Command-Line Interface (CLI) functionality. By limiting or temporarily blocking CLI access, you can prevent unauthorized activities and reduce the risk of exploitation until a comprehensive solution is applied.

We will update this advisory with new information as it becomes available.